Bug 2039910
| Summary: | [centos9] Missing openstack booleans possibly because of an error with container-selinux | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | David Vallee Delisle <dvd> |
| Component: | container-selinux | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | CentOS Stream | CC: | bstinson, cjeanner, jnovy, jpichon, jwboyer, tsweeney |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-01-17 11:06:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
David Vallee Delisle
2022-01-12 17:31:17 UTC
[1] I got the same error when reinstalling container-selinux. Also this breaks deployment further down, now on the controllers [2] It looks like it's related to this: https://github.com/containers/podman/issues/3234 [1] ~~~ [root@controller-0 ~]# dnf reinstall container-selinux Last metadata expiration check: 1:58:10 ago on Wed 12 Jan 2022 04:45:29 PM UTC. Dependencies resolved. ============================================================================================================================================================================================================================================================================================================================================================================================================================================ Package Architecture Version Repository Size ============================================================================================================================================================================================================================================================================================================================================================================================================================================ Reinstalling: container-selinux noarch 3:2.172.1-1.el9 centos9-stream-appstream 44 k Transaction Summary ============================================================================================================================================================================================================================================================================================================================================================================================================================================ Total download size: 44 k Installed size: 54 k Is this ok [y/N]: y Downloading Packages: container-selinux-2.172.1-1.el9.noarch.rpm 118 kB/s | 44 kB 00:00 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 118 kB/s | 44 kB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: container-selinux-3:2.172.1-1.el9.noarch 1/2 Reinstalling : container-selinux-3:2.172.1-1.el9.noarch 1/2 Running scriptlet: container-selinux-3:2.172.1-1.el9.noarch 1/2 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370 Failed to resolve AST /usr/sbin/semodule: Failed! Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370 Failed to resolve AST semodule: Failed! Running scriptlet: container-selinux-3:2.172.1-1.el9.noarch 2/2 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370 Failed to resolve AST semodule: Failed! Cleanup : container-selinux-3:2.172.1-1.el9.noarch 2/2 Running scriptlet: container-selinux-3:2.172.1-1.el9.noarch 2/2 Verifying : container-selinux-3:2.172.1-1.el9.noarch 1/2 Verifying : container-selinux-3:2.172.1-1.el9.noarch 2/2 Reinstalled: container-selinux-3:2.172.1-1.el9.noarch Complete! ~~~ [2] ~~~ [root@controller-0 ~]# podman logs mysql_data_ownership dumb-init: error while loading shared libraries: libc.so.6: cannot change memory protections time->Wed Jan 12 17:50:37 2022 type=PROCTITLE msg=audit(1642009837.117:16077): proctitle=64756D622D696E6974002D2D0062617368002D6563006966205B202D65202F7661722F6C69622F6D7973716C2F6D7973716C205D3B207468656E206578697420303B2066690A6563686F202D6520225C6E5B6D7973716C645D5C6E77737265705F70726F76696465723D6E6F6E6522203E3E202F6574632F6D792E636E660A6B type=SYSCALL msg=audit(1642009837.117:16077): arch=c000003e syscall=10 success=no exit=-13 a0=7fc26b2b2000 a1=1cb000 a2=0 a3=802 items=0 ppid=46688 pid=46691 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="dumb-init" exe="/usr/bin/dumb-init" subj=system_u:system_r:container_t:s0:c247,c961 key=(null) type=AVC msg=audit(1642009837.117:16077): avc: denied { read } for pid=46691 comm="dumb-init" path="/usr/lib64/libc.so.6" dev="vda2" ino=125829561 scontext=system_u:system_r:container_t:s0:c247,c961 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ~~~ So the error comes from local_settings.sh, exactly at the semanage import task [1]. I tried to import all these tasks individually but they all fail like this [2].
Not sure where to take it from there.
[1]
~~~
Installing OpenStack extra policies and setting booleans...
+ echo 'boolean -N -m --on virt_use_fusefs
boolean -N -m --on glance_api_can_network
boolean -N -m --on neutron_can_network
boolean -N -m --on glance_use_fusefs
boolean -N -m --on haproxy_connect_any
boolean -N -m --on nis_enabled
boolean -N -m --on rsync_full_access
boolean -N -m --on rsync_client
boolean -N -m --on virt_use_execmem
boolean -N -m --on virt_use_nfs
boolean -N -m --on daemons_enable_cluster_mode
boolean -N -m --on glance_use_execmem
boolean -N -m --on httpd_execmem
boolean -N -m --on domain_kernel_load_modules
boolean -N -m --on httpd_can_network_connect
boolean -N -m --on swift_can_network
boolean -N -m --on httpd_use_openstack
boolean -N -m --on collectd_tcp_network_connect
boolean -N -m --on domain_can_mmap_files
module -N -a /usr/share/selinux/packages/os-ovs.pp.bz2
module -N -a /usr/share/selinux/packages/os-swift.pp.bz2
module -N -a /usr/share/selinux/packages/os-nova.pp.bz2
module -N -a /usr/share/selinux/packages/os-neutron.pp.bz2
module -N -a /usr/share/selinux/packages/os-mysql.pp.bz2
module -N -a /usr/share/selinux/packages/os-glance.pp.bz2
module -N -a /usr/share/selinux/packages/os-rsync.pp.bz2
module -N -a /usr/share/selinux/packages/os-rabbitmq.pp.bz2
module -N -a /usr/share/selinux/packages/os-keepalived.pp.bz2
module -N -a /usr/share/selinux/packages/os-keystone.pp.bz2
module -N -a /usr/share/selinux/packages/os-haproxy.pp.bz2
module -N -a /usr/share/selinux/packages/os-mongodb.pp.bz2
module -N -a /usr/share/selinux/packages/os-ipxe.pp.bz2
module -N -a /usr/share/selinux/packages/os-redis.pp.bz2
module -N -a /usr/share/selinux/packages/os-cinder.pp.bz2
module -N -a /usr/share/selinux/packages/os-httpd.pp.bz2
module -N -a /usr/share/selinux/packages/os-gnocchi.pp.bz2
module -N -a /usr/share/selinux/packages/os-collectd.pp.bz2
module -N -a /usr/share/selinux/packages/os-virt.pp.bz2
module -N -a /usr/share/selinux/packages/os-dnsmasq.pp.bz2
module -N -a /usr/share/selinux/packages/os-octavia.pp.bz2
module -N -a /usr/share/selinux/packages/os-podman.pp.bz2
module -N -a /usr/share/selinux/packages/os-rsyslog.pp.bz2
module -N -a /usr/share/selinux/packages/os-pbis.pp.bz2
module -N -a /usr/share/selinux/packages/os-barbican.pp.bz2
module -N -a /usr/share/selinux/packages/os-logrotate.pp.bz2
module -N -a /usr/share/selinux/packages/os-certmonger.pp.bz2
module -N -a /usr/share/selinux/packages/os-timemaster.pp.bz2'
+ /sbin/semanage import -N
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370
Failed to resolve AST
OSError: [Errno 0] Error
~~~
[2]
~~~
root@controller-0 ~]# echo 'module -N -a /usr/share/selinux/packages/os-ovs.pp.bz2
module -N -a /usr/share/selinux/packages/os-swift.pp.bz2
module -N -a /usr/share/selinux/packages/os-nova.pp.bz2
module -N -a /usr/share/selinux/packages/os-neutron.pp.bz2
module -N -a /usr/share/selinux/packages/os-mysql.pp.bz2
module -N -a /usr/share/selinux/packages/os-glance.pp.bz2
module -N -a /usr/share/selinux/packages/os-rsync.pp.bz2
module -N -a /usr/share/selinux/packages/os-rabbitmq.pp.bz2
module -N -a /usr/share/selinux/packages/os-keepalived.pp.bz2
module -N -a /usr/share/selinux/packages/os-keystone.pp.bz2
module -N -a /usr/share/selinux/packages/os-haproxy.pp.bz2
module -N -a /usr/share/selinux/packages/os-mongodb.pp.bz2
module -N -a /usr/share/selinux/packages/os-ipxe.pp.bz2
module -N -a /usr/share/selinux/packages/os-redis.pp.bz2
module -N -a /usr/share/selinux/packages/os-cinder.pp.bz2
module -N -a /usr/share/selinux/packages/os-httpd.pp.bz2
module -N -a /usr/share/selinux/packages/os-gnocchi.pp.bz2
module -N -a /usr/share/selinux/packages/os-collectd.pp.bz2
module -N -a /usr/share/selinux/packages/os-virt.pp.bz2
module -N -a /usr/share/selinux/packages/os-dnsmasq.pp.bz2
module -N -a /usr/share/selinux/packages/os-octavia.pp.bz2
module -N -a /usr/share/selinux/packages/os-podman.pp.bz2
module -N -a /usr/share/selinux/packages/os-rsyslog.pp.bz2
module -N -a /usr/share/selinux/packages/os-pbis.pp.bz2
module -N -a /usr/share/selinux/packages/os-barbican.pp.bz2
module -N -a /usr/share/selinux/packages/os-logrotate.pp.bz2
module -N -a /usr/share/selinux/packages/os-certmonger.pp.bz2
module -N -a /usr/share/selinux/packages/os-timemaster.pp.bz2' | while read l;do echo $l; echo $l | semanage import -N;done
module -N -a /usr/share/selinux/packages/os-ovs.pp.bz2
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370
Failed to resolve AST
OSError: [Errno 0] Error
module -N -a /usr/share/selinux/packages/os-swift.pp.bz2
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370
Failed to resolve AST
OSError: [Errno 0] Error
[...]
~~~
I think local_setting.sh is probably a red herring: openstack-selinux first installs a bunch of rules and then uses local_settings.sh to enable the new booleans it created. If the booleans don't exist because of the other issues, an error will be thrown. I've been trying to reproduce the problem on a CentOS 9 environment to see if it might be possible to see which rule or symbol is missing in the container cil, but I'm not seeing a similar behaviour. container-selinux was preinstalled and reinstalls fine: $ sudo dnf reinstall container-selinux [...] Running transaction Preparing : 1/1 Running scriptlet: container-selinux-3:2.172.1-1.el9.noarch 1/2 Reinstalling : container-selinux-3:2.172.1-1.el9.noarch 1/2 Running scriptlet: container-selinux-3:2.172.1-1.el9.noarch 1/2 Cleanup : container-selinux-3:2.172.1-1.el9.noarch 2/2 Running scriptlet: container-selinux-3:2.172.1-1.el9.noarch 2/2 Verifying : container-selinux-3:2.172.1-1.el9.noarch 1/2 Verifying : container-selinux-3:2.172.1-1.el9.noarch 2/2 Reinstalled: container-selinux-3:2.172.1-1.el9.noarch Then installing openstack-selinux from https://trunk.rdoproject.org/centos9-master/component/common/80/29/8029f4e1012ed261fe4ce4c3a6dff10817ec32d4_59fc4580/openstack-selinux-devel-0.8.29-0.20211110070709.7211283.el9.noarch.rpm also completes without errors: $ sudo dnf install openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch.rpm Last metadata expiration check: 0:03:34 ago on Thu 13 Jan 2022 10:03:14. Dependencies resolved. ======================================================================================================== Package Arch Version Repository Size ======================================================================================================== Installing: openstack-selinux noarch 0.8.29-0.20211110070709.7211283.el9 @commandline 221 k Transaction Summary ======================================================================================================== Install 1 Package Total size: 221 k Installed size: 304 k Is this ok [y/N]: y Downloading Packages: Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch 1/1 Running scriptlet: openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch 1/1 Verifying : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch 1/1 Installed: openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch Complete! I wonder if there might be a conflict elsewhere? $ rpm -qa | grep selinux | sort container-selinux-2.172.1-1.el9.noarch libselinux-3.3-2.el9.x86_64 libselinux-utils-3.3-2.el9.x86_64 openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch python3-libselinux-3.3-2.el9.x86_64 rpm-plugin-selinux-4.16.1.3-9.el9.x86_64 selinux-policy-34.1.20-1.el9.noarch selinux-policy-targeted-34.1.20-1.el9.noarch I'm not running this in a container, though. The podman issue you linked to pointed to a configuration issue on labels... It may be worthwhile checking the file context of the directory where the containers are stored? Does this work after a restorecon?
> $ rpm -qa | grep selinux | sort
> container-selinux-2.172.1-1.el9.noarch
> libselinux-3.3-2.el9.x86_64
> libselinux-utils-3.3-2.el9.x86_64
> openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch
> python3-libselinux-3.3-2.el9.x86_64
> rpm-plugin-selinux-4.16.1.3-9.el9.x86_64
> selinux-policy-34.1.20-1.el9.noarch
> selinux-policy-targeted-34.1.20-1.el9.noarch
>
I tried to restorecon the whole / and I have the same error when I reinstall openstack-selinux.
I'm looking at the package list you have and it looks like, except for a few additional packages on my side, my lab has selinux-policy-34.1.22-1 as opposed to selinux-policy-34.1.20-1 on yours.
[heat-admin@compute-0 ~]$ rpm -qa | grep selinux | sort
container-selinux-2.172.1-1.el9.noarch
ipa-selinux-4.9.8-1.el9.noarch
libselinux-3.3-2.el9.x86_64
libselinux-ruby-3.3-2.el9.x86_64
libselinux-utils-3.3-2.el9.x86_64
openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch
openvswitch-selinux-extra-policy-1.0-30.el9s.noarch
pcp-selinux-5.3.5-3.el9.x86_64
python3-libselinux-3.3-2.el9.x86_64
rpm-plugin-selinux-4.16.1.3-9.el9.x86_64
selinux-policy-34.1.22-1.el9.noarch
selinux-policy-targeted-34.1.22-1.el9.noarch
Looking at the changelog for selinux-policy between .20 and .22 and I don't see anything that jumps Changelogs for selinux-policy-34.1.22-1.el9.noarch * Tue Jan 11 12:00:00 AM 2022 Zdenek Pytela <zpytela> - 34.1.22-1 - Allow sshd read filesystem sysctl files Resolves: rhbz#2036585 - Revert "Allow sshd read sysctl files" Resolves: rhbz#2036585 * Mon Jan 10 12:00:00 AM 2022 Zdenek Pytela <zpytela> - 34.1.21-1 - Remove the lockdown class from the policy Resolves: rhbz#2017848 - Revert "define lockdown class and access" Resolves: rhbz#2017848 - Allow gssproxy access to various system files. Resolves: rhbz#2026974 - Allow gssproxy read, write, and map ica tmpfs files Resolves: rhbz#2026974 - Allow gssproxy read and write z90crypt device Resolves: rhbz#2026974 - Allow sssd_kcm read and write z90crypt device Resolves: rhbz#2026974 - Allow abrt_domain read and write z90crypt device Resolves: rhbz#2026974 - Allow NetworkManager read and write z90crypt device Resolves: rhbz#2026974 - Allow smbcontrol read the network state information Resolves: rhbz#2038157 - Allow virt_domain map vhost devices Resolves: rhbz#2035702 - Allow fcoemon request the kernel to load a module Resolves: rhbz#2034463 - Allow lldpd connect to snmpd with a unix domain stream socket Resolves: rhbz#2033315 - Allow ModemManager create a qipcrtr socket Resolves: rhbz#2036582 - Allow ModemManager request to load a kernel module Resolves: rhbz#2036582 - Allow sshd read sysctl files I really think it's a change in selinux-policy or the targeted one that breaks this. On the undercloud, we have 34.1.20-1 and it works fine [1] as opposed to 34.1.22-1 on the compute [2]
I just diffed the source packages [3] and we removed this line from container.te. That's the only thing I can see:
allow container_runtime_domain self:lockdown { confidentiality integrity };
This is the related commit [a]
[a] https://github.com/containers/container-selinux/commit/84d09cedf2dae8193d956e04a8abc7ef15b95f51
[1]
~~~
[stack@undercloud-0 ~]$ rpm -qa | grep selinux
libselinux-3.3-2.el9.x86_64
libselinux-utils-3.3-2.el9.x86_64
python3-libselinux-3.3-2.el9.x86_64
rpm-plugin-selinux-4.16.1.3-7.el9.x86_64
selinux-policy-34.1.20-1.el9.noarch
selinux-policy-targeted-34.1.20-1.el9.noarch
pcp-selinux-5.3.5-3.el9.x86_64
container-selinux-2.173.0-1.el9.noarch
openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch
libselinux-ruby-3.3-2.el9.x86_64
openvswitch-selinux-extra-policy-1.0-30.el9s.noarch
ipa-selinux-4.9.8-1.el9.noarch
[stack@undercloud-0 ~]$ echo "module -N -a /usr/share/selinux/packages/os-nova.pp.bz2" | sudo semanage import -N
~~~
[2]
~~~
[root@compute-0 ~]# rpm -qa | grep selinux-policy
selinux-policy-34.1.22-1.el9.noarch
selinux-policy-targeted-34.1.22-1.el9.noarch
[root@compute-0 ~]# echo "module -N -a /usr/share/selinux/packages/os-nova.pp.bz2" | sudo semanage import -N
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370
Failed to resolve AST
OSError: [Errno 0] Error
~~~
[3]
~~~
diff -r selinux-policy-34.1.20-1.el9.src/container.fc selinux-policy-34.1.22-1.el9.src/container.fc
38,39d37
< /usr/bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
< /usr/local/bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
44d41
< /usr/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
112,120d108
< /var/lib/rancher/k3s(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
< /var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:container_runtime_exec_t,s0)
< /var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0)
< /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0)
< /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0)
< /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>>
< /var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0)
< /var/lib/rancher/k3s/data/.lock gen_context(system_u:object_r:container_lock_t,s0)
< /var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0)
122,123d109
< /var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
< /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
Binary files selinux-policy-34.1.20-1.el9.src/container-selinux.tgz and selinux-policy-34.1.22-1.el9.src/container-selinux.tgz differ
diff -r selinux-policy-34.1.20-1.el9.src/container.te selinux-policy-34.1.22-1.el9.src/container.te
1c1
< policy_module(container, 2.172.0)
---
> policy_module(container, 2.173.0)
118d117
< allow container_runtime_domain self:lockdown { confidentiality integrity };
Only in selinux-policy-34.1.20-1.el9.src: selinux-policy-0b4c1a7aa0be1129efd7e7749100734416a3a10d
Only in selinux-policy-34.1.20-1.el9.src: selinux-policy-0b4c1a7.tar.gz
Only in selinux-policy-34.1.22-1.el9.src: selinux-policy-141c3fde08c02097e0b6fa179a33cc17371e9a22
Only in selinux-policy-34.1.22-1.el9.src: selinux-policy-141c3fd.tar.gz
Only in selinux-policy-34.1.20-1.el9.src: selinux-policy-34.1.20-1.el9.src.rpm
Only in selinux-policy-34.1.22-1.el9.src: selinux-policy-34.1.22-1.el9.src.rpm
diff -r selinux-policy-34.1.20-1.el9.src/selinux-policy.spec selinux-policy-34.1.22-1.el9.src/selinux-policy.spec
3c3
< %global commit 0b4c1a7aa0be1129efd7e7749100734416a3a10d
---
> %global commit 141c3fde08c02097e0b6fa179a33cc17371e9a22
26c26
< Version: 34.1.20
---
> Version: 34.1.22
794a795,832
~~~
Did another test and I downgraded the selinux-policy package to .20-1 [1]. This returned the same error as when we install openstack-selinux. But when I installed openstack-selinux after this, I didn't get the same error [2]. [1] ~~~ Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Running scriptlet: selinux-policy-targeted-34.1.20-1.el9.noarch 1/1 Preparing : 1/1 Downgrading : selinux-policy-34.1.20-1.el9.noarch 1/4 Running scriptlet: selinux-policy-34.1.20-1.el9.noarch 1/4 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370 Failed to resolve AST /usr/sbin/semodule: Failed! Running scriptlet: selinux-policy-targeted-34.1.20-1.el9.noarch 2/4 Downgrading : selinux-policy-targeted-34.1.20-1.el9.noarch 2/4 Running scriptlet: selinux-policy-targeted-34.1.20-1.el9.noarch 2/4 Cleanup : selinux-policy-34.1.22-1.el9.noarch 3/4 Running scriptlet: selinux-policy-34.1.22-1.el9.noarch 3/4 Cleanup : selinux-policy-targeted-34.1.22-1.el9.noarch 4/4 Running scriptlet: selinux-policy-targeted-34.1.22-1.el9.noarch 4/4 Running scriptlet: selinux-policy-targeted-34.1.20-1.el9.noarch 4/4 Running scriptlet: selinux-policy-targeted-34.1.22-1.el9.noarch 4/4 Verifying : selinux-policy-34.1.20-1.el9.noarch 1/4 Verifying : selinux-policy-34.1.22-1.el9.noarch 2/4 Verifying : selinux-policy-targeted-34.1.20-1.el9.noarch 3/4 Verifying : selinux-policy-targeted-34.1.22-1.el9.noarch 4/4 Downgraded: selinux-policy-34.1.20-1.el9.noarch selinux-policy-targeted-34.1.20-1.el9.noarch Complete! ~~~ [2] ~~~ [root@compute-0 ~]# dnf reinstall openstack-selinux Last metadata expiration check: 0:19:38 ago on Thu 13 Jan 2022 12:03:40 PM EST. Dependencies resolved. ============================================================================================================================================================================================================================================================================================================================================================================================================================================ Package Architecture Version Repository Size ============================================================================================================================================================================================================================================================================================================================================================================================================================================ Reinstalling: openstack-selinux noarch 0.8.29-0.20211110070709.7211283.el9 delorean-component-common 221 k Transaction Summary ============================================================================================================================================================================================================================================================================================================================================================================================================================================ Total download size: 221 k Installed size: 304 k Is this ok [y/N]: y Downloading Packages: openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch.rpm 143 kB/s | 221 kB 00:01 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 143 kB/s | 221 kB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Reinstalling : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch 1/2 Running scriptlet: openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch 1/2 Running scriptlet: openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch 2/2 Cleanup : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch 2/2 Verifying : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch 1/2 Verifying : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch 2/2 Reinstalled: openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch Complete! ~~~ So if we upgrade to -22 and then downgrade to -20, we still don't see the os_* booleans. I was able to solve this issue by excluding selinux-policy* from the global upgrade command. Because a commit is worth a 1000 words: https://gitlab.cee.redhat.com/osp17/rhel9-playground/-/commit/e016f8e94ea4a309d545c7232037016b1f37eeeb Hello there,
I just deployed the following UC: master, on cs9. It gives the following packages:
- openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch
- container-selinux-2.173.0-1.el9.noarch
- kernel-5.14.0-41.el9.x86_64
- selinux-policy-34.1.22-1.el9.noarch
I get my booleans:
[CentOS-9 - stack@undercloud ~]$ getsebool -a | grep ^os
os_barbican_write_pki --> off
os_cinder_use_nfs --> on
os_dnsmasq_dac_override --> off
os_enable_vtpm --> off
os_glance_dac_override --> on
os_glance_use_nfs --> on
os_glance_use_sudo --> on
os_gnocchi_use_nfs --> on
os_haproxy_dac_override --> on
os_httpd_wsgi --> on
os_keepalived_dac_override --> on
os_keystone_use_execmem --> on
os_neutron_dac_override --> off
os_neutron_use_execmem --> on
os_nova_use_execmem --> on
os_openvswitch_dac_override --> on
os_swift_use_execmem --> on
os_virtlog_dac_override --> on
os_virtlogd_use_nfs --> on
UC deploy successful, with enforced SELinux.
So it seems to be solved, at least for upstream? WOuld be good to get a second confirmation, just to be sure.
Here's how I deployed:
ansible-playbook -i inventory-builder2.yaml builder.yaml -e @environments/vm-centos9.yaml -e @local_env/centos-stream.yaml -e @local_env/master9.yaml -e @local_env/1ctl.yaml -e @local_env/colleagues-keys.yaml -e overcloud_image_update=false -e @local_env/lab2.yaml -t lab -e @local_env/overcloud.yaml
It uses the following repository versions: tripleo-ci-testing
And injects the following package repositories for the OS:
undercloud_custom_repositories:
- name: custom-BaseOS
file: centos-base
uri: http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os
priority: 100
- name: custom-appstreams
file: centos-appstreams
uri: http://mirror.stream.centos.org/9-stream/AppStream/x86_64/os
priority: 100
- name: custom-crb
file: centos-crb
uri: http://mirror.stream.centos.org/9-stream/CRB/x86_64/os
priority: 100
- name: custom-ha
file: centos-ha
uri: http://mirror.stream.centos.org/9-stream/HighAvailability/x86_64/os
priority: 100
Note that this exact same command was failing last week - so, at least on my side, the SELinux issue is over (and I can work on the next one on my list :)).
Cheers,
C.
Thanks for the confirmation Cédric! For the record, I used the latest version of the centos9 image and I don't have the issue anymore. |