Bug 1671514

Summary: Since nis_enabled is not turned on by default, it breaks deployments with custom service ports
Product: Red Hat OpenStack Reporter: David Vallee Delisle <dvd>
Component: openstack-selinuxAssignee: Julie Pichon <jpichon>
Status: CLOSED ERRATA QA Contact: Julie Pichon <jpichon>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 10.0 (Newton)CC: dvd, jpichon, lhh, mgrepl
Target Milestone: zstreamKeywords: Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.17-2.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1489863
: 1676446 (view as bug list) Environment:
Last Closed: 2019-04-30 16:59:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1489863    
Bug Blocks:    

Description David Vallee Delisle 2019-01-31 19:11:39 UTC 
+++ This bug was initially created as a clone of Bug #1489863 +++

Since nis_enabled is not automatically enabled, some deployments with custom ports are not working.

~~~
type=AVC msg=audit(1548880833.900:153941): avc:  denied  { name_connect } for  pid=4841 comm="glance-registry" dest=13357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

	Was caused by:
	The boolean nis_enabled was set incorrectly. 
	Description:
	Allow nis to enabled

	Allow access by executing:
	# setsebool -P nis_enabled 1
~~~

Step to reproduce:
- Deploy 10z9 with custom keystone port
- Spawn a stack

Actual result:

Glance registry fails with this traceback [1]

Workaround:
setsebool -P nis_enabled on

[1]
~~~
2019-01-31 11:16:07.334 4883 WARNING keystoneauth.identity.generic.base [-] Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
2019-01-31 11:16:07.336 4883 INFO eventlet.wsgi.server [-] Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/eventlet/wsgi.py", line 481, in handle_one_response
    result = self.application(self.environ, start_response)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 130, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 195, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/oslo_middleware/base.py", line 126, in __call__
    response = req.get_response(self.application)
  File "/usr/lib/python2.7/site-packages/webob/request.py", line 1299, in send
    application, catch_exc_info=False)
  File "/usr/lib/python2.7/site-packages/webob/request.py", line 1263, in call_application
    app_iter = application(self.environ, start_response)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 130, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 195, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/osprofiler/web.py", line 108, in __call__
    return request.get_response(self.application)
  File "/usr/lib/python2.7/site-packages/webob/request.py", line 1299, in send
    application, catch_exc_info=False)
  File "/usr/lib/python2.7/site-packages/webob/request.py", line 1263, in call_application
    app_iter = application(self.environ, start_response)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 130, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 195, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 320, in __call__
    response = self.process_request(req)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 552, in process_request
    resp = super(AuthProtocol, self).process_request(request)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 348, in process_request
    data, user_auth_ref = self._do_fetch_token(request.user_token)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 388, in _do_fetch_token
    data = self.fetch_token(token)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 684, in fetch_token
    data = self._identity_server.verify_token(token)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/_identity.py", line 214, in verify_token
    auth_ref = self._request_strategy.verify_token(user_token)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/_identity.py", line 166, in _request_strategy
    strategy_class = self._get_strategy_class()
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/_identity.py", line 188, in _get_strategy_class
    if self._adapter.get_endpoint(version=klass.AUTH_VERSION):
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 146, in get_endpoint
    return self.session.get_endpoint(auth or self.auth, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 795, in get_endpoint
    return auth.get_endpoint(self, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 212, in get_endpoint
    service_catalog = self.get_access(session).service_catalog
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 136, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/generic/base.py", line 179, in get_auth_ref
    self._plugin = self._do_create_plugin(session)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/generic/base.py", line 174, in _do_create_plugin
    raise exceptions.DiscoveryFailure('Could not determine a suitable URL '
DiscoveryFailure: Could not determine a suitable URL for the plugin
~~~
Comment 1 Julie Pichon 2019-02-06 10:03:14 UTC 
Hi, could you confirm which openstack-selinux RPM version is installed? Thank you.
Comment 2 Julie Pichon 2019-02-06 10:54:52 UTC 
Also, it would be useful to run the command again with SELinux in permissive mode and provide the audit.log, in case there are other AVCs we need to make sure are cleared. Thank you.
Comment 4 David Vallee Delisle 2019-02-06 13:16:29 UTC 
They have: openstack-selinux-0.8.14-13.el7ost.noarch

[1] If that can help, here's the infringed policy.

This is a very specific use case where they use port 13357 for keystone because they followed our recommendation [2]

~~~
# sepolicy network -a /usr/bin/glance-registry
 
glance_registry_t: tcp name_connect
        111 (portmap_port_t) -- Allowed True [ nis_enabled=1 ]
        11211 (memcache_port_t)
        113 (auth_port_t) -- Allowed True [ daemons_use_tcp_wrapper=0 || nis_enabled=1 ]
        389, 636, 3268, 3269, 7389 (ldap_port_t) -- Allowed True [ nis_enabled=1 || authlogin_nsswitch_use_ldap=0 ]
        4444, 1186, 3306, 63132-63164 (mysqld_port_t)
        32768-61000 (ephemeral_port_t)
        32768-61000 (ephemeral_port_t)
        35357 (keystone_port_t)
        5000 (commplex_main_port_t)
        53 (dns_port_t)
        80, 81, 443, 488, 8008, 8009, 8443, 9000 (http_port_t)
        88, 750, 4444 (kerberos_port_t) -- Allowed True [ nis_enabled=1 || kerberos_enabled=1 ]
        8955 (dnssec_port_t)
        9080 (ocsp_port_t) -- Allowed True [ kerberos_enabled=1 ]
        all ports < 1024 (reserved_port_type) -- Allowed True [ nis_enabled=1 ]
        all ports with out defined types (port_t) -- Allowed True [ nis_enabled=1 ]
 
glance_registry_t: tcp name_bind
        32768-61000 (ephemeral_port_t) -- Allowed True [ nis_enabled=1 ]
        9191 (glance_registry_port_t)
        all ports with out defined types (port_t) -- Allowed True [ nis_enabled=1 ]
 
glance_registry_t: udp name_bind
        32768-61000 (ephemeral_port_t) -- Allowed True [ nis_enabled=1 ]
        all ports with out defined types (port_t) -- Allowed True [ nis_enabled=1 ]
~~~
Comment 5 Julie Pichon 2019-02-08 10:41:13 UTC 
Thank you for the reply and additional information. After investigating further, it looks like the issue that caused the booleans to not get picked up in some contexts was resolved, so reenabling this one for now should be ok.
Comment 14 Julie Pichon 2019-04-23 15:37:45 UTC 
https://github.com/redhat-openstack/openstack-selinux/commit/282e8a1e450703e7c9f78121c9b0d2e00228fb55

Sanity-check:

$ rpm -q openstack-selinux
openstack-selinux-0.8.18-1.el7ost.noarch

$ ls /usr/share/openstack-selinux/0.8.18/tests/ | grep 1671514
bz1671514

$ sudo /usr/share/openstack-selinux/0.8.18/tests/check_all 
Results: 797 total, 0 failed
Overall result: PASS
Comment 16 errata-xmlrpc 2019-04-30 16:59:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0922