Bug 1640528
Summary: | On RHEL 7.6 Undercloud installation fails on nova-api: sudo in nova-rootwrap blocked by SELinux | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Pavel Sedlák <psedlak> | |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 7.6 | CC: | asoni, jmelvin, jpichon, jschluet, lhh, lvrabec, mmalik, pkomarov, plautrba, salmy, ssekidde, toneata, vmojzis, zcaplovi | |
Target Milestone: | rc | Keywords: | Triaged, ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.13.1-229.el7_6.6 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | 1638547 | |||
: | 1645270 (view as bug list) | Environment: | ||
Last Closed: | 2019-08-06 12:52:32 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1638547, 1638548, 1641671, 1641743, 1641746, 1645270, 1647587, 1651357, 1653106 |
Description
Pavel Sedlák
2018-10-18 09:44:57 UTC
Also another nova_t related denials from run OpenStack packstack installer in permissive mode are:
> type=AVC msg=audit(...): avc: denied { connectto } for pid=... comm="sudo" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:nova_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
> type=AVC msg=audit(...): avc: denied { execute } for pid=... comm="sudo" name="unix_chkpwd" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1
> type=AVC msg=audit(...): avc: denied { execute_no_trans } for pid=... comm="sudo" path="/usr/sbin/unix_chkpwd" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1
> type=AVC msg=audit(...): avc: denied { getattr } for pid=... comm="unix_chkpwd" path="/etc/shadow" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
> type=AVC msg=audit(...): avc: denied { open } for pid=... comm="unix_chkpwd" path="/etc/shadow" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
> type=AVC msg=audit(...): avc: denied { read } for pid=... comm="unix_chkpwd" name="shadow" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
> type=AVC msg=audit(...): avc: denied { read open } for pid=... comm="sudo" path="/usr/sbin/unix_chkpwd" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1
> type=USER_AVC msg=audit(): pid=... uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> type=USER_AVC msg=audit(): pid=... uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=... tpid=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> type=USER_AVC msg=audit(): pid=... uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=... spid=... tpid=... scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:nova_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
commit 9684362a3b17030829324948190061f48f2c2126 (HEAD -> rhel7.7-contrib, origin/rhel7.7-contrib) Author: Lukas Vrabec <lvrabec> Date: Fri Oct 19 10:29:36 2018 +0200 Allow nova_t domain to use pam Resolves: rhbz:#1640528 *** Bug 1652035 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2127 |