Bug 2049479

Summary: tripleo_swift_rsync_healthcheck issues lsof command and this command triggers ambigous SELinux warnings
Product: Red Hat OpenStack Reporter: Alex Stupnikov <astupnik>
Component: openstack-selinuxAssignee: Julie Pichon <jpichon>
Status: CLOSED ERRATA QA Contact: David Rosenfeld <drosenfe>
Severity: medium Docs Contact:
Priority: medium    
Version: 16.2 (Train)CC: amepatil, cjeanner, jpichon, lhh, lvrabec, mburns, slinaber
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.29-2.20211108135018.7211283.el8ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-23 22:13:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alex Stupnikov 2022-02-02 10:25:48 UTC 
Description of problem:

One of our customers reported a problem with tripleo_swift_rsync_healthcheck running on RHOSP director: this healthcheck calls lsof command which triggers SELinux denials (would provide them privately to avoid customer's data exposure). It looks like denials come from the fact that lsof command tries to access block device.

At the same time affected healthcheck is used to confirm that appropriate process is listening on appropriate port, so a call related to block device looks like a side effect to me.

[1] https://opendev.org/openstack/tripleo-common/src/branch/stable/train/healthcheck/swift-rsync
~~~
$ cat -n healthcheck/swift-rsync
     1	#!/bin/bash
     2	
     3	. ${HEALTHCHECK_SCRIPTS:-/usr/share/openstack-tripleo-common/healthcheck}/common.sh
     4	
     5	process='rsync'
     6	args="${@:-873}"
     7	
     8	if healthcheck_listen $process $args; then
     9	    exit 0
    10	else
    11	    ports=${args// /,}
    12	    echo "There is no $process process, listening on port(s) $ports, running in the container."
    13	    exit 1
    14	fi
~~~

[2] https://opendev.org/openstack/tripleo-common/src/branch/stable/train/healthcheck/common.sh#L85-L93
~~~
$ cat healthcheck/common.sh
...
    85	healthcheck_listen () {
    86	    process=$1
    87	
    88	    shift 1
    89	    args=$@
    90	    ports=${args// /,}
    91	    pids=$(pgrep -d ',' -f $process)
    92	    lsof -n -w -P -a -p${pids} -iTCP:${ports} -s TCP:LISTEN >&3 2>&1
    93	}

# lsof -n -w -P -a -p7 -iTCP:873 -s TCP:LISTEN
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
rsync     7 root    4u  IPv4 591056      0t0  TCP 192.168.24.1:873 (LISTEN)


Kindly ask you to take second look. Sosreport from affected node is attached to support case.


Version-Release number of selected component (if applicable):
Red Hat OpenStack Platform release 16.2.0 GA (Train)

How reproducible:
Healthcheck triggers SELinux warning.
Comment 2 Cédric Jeanneret 2022-02-02 14:50:52 UTC 
It should be solved already, with this:

https://github.com/redhat-openstack/openstack-selinux/commit/fb8fe99479bb9106bbcc672068da8c2dc7cb5a33

@jpichon care to provide a package version for 16.2 providing the associated patch?

Thanks!

Cheers,

C.
Comment 3 Julie Pichon 2022-02-02 17:07:54 UTC 
Thank you for the report and including examples of the denials. In the future, it would be helpful to also include the installed version of the openstack-selinux package and attach the audit log directly on the bugzilla.

The patch mentioned in comment 2 will be available in openstack-selinux-0.8.29-2.20211108135018.7211283.el8ost and addresses the denials from comment 1.
Comment 14 errata-xmlrpc 2022-03-23 22:13:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 16.2.2), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1001