Bug 973354

Summary: Updated selinux-policy broke mysql-5.1 cartridge deployment
Product: OKD Reporter: Diego Castro <spinolacastro>
Component: ContainersAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.xCC: dmcphers, kraman
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-12 20:25:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Diego Castro 2013-06-11 18:44:22 UTC 
Description of problem:
Last update of selinux-policy and selinux-policy-targeted broke mysql cartridges deployment on origin-release-1


Version that broken deployment.
selinux-policy-3.7.19-195.el6_4.10.noarch
selinux-policy-targeted-3.7.19-195.el6_4.10.noarch

Version with works:
selinux-policy-3.7.19-195.el6_4.6.noarch
selinux-policy-targeted-3.7.19-195.el6_4.6.noarch

How reproducible:
Add a mysql-5.1 cartridge

Actual results:
An error occurred.

Additional info:
mcollective.log

D, [2013-06-11T18:17:10.695489 #2686] DEBUG -- : pluginmanager.rb:83:in `[]' Returning cached plugin security_plugin with class MCollective::Security::Psk
D, [2013-06-11T18:17:10.695652 #2686] DEBUG -- : pluginmanager.rb:83:in `[]' Returning cached plugin security_plugin with class MCollective::Security::Psk
D, [2013-06-11T18:17:10.695902 #2686] DEBUG -- : base.rb:168:in `create_reply' Encoded a message for request f09e992ab8b258109348a4821ae3796e
D, [2013-06-11T18:17:10.696676 #2686] DEBUG -- : pluginmanager.rb:83:in `[]' Returning cached plugin connector_plugin with class MCollective::Connector::Stomp
D, [2013-06-11T18:17:10.696960 #2686] DEBUG -- : stomp.rb:230:in `publish' Sending a broadcast message to STOMP target '/topic/mcollective.openshift.reply'
D, [2013-06-11T18:17:10.703321 #2686] DEBUG -- : runnerstats.rb:56:in `block in sent' Incrementing replies stat
D, [2013-06-11T18:17:10.777568 #2686] DEBUG -- : runnerstats.rb:49:in `received' Incrementing total stat
D, [2013-06-11T18:17:10.777788 #2686] DEBUG -- : pluginmanager.rb:83:in `[]' Returning cached plugin security_plugin with class MCollective::Security::Psk
D, [2013-06-11T18:17:10.778185 #2686] DEBUG -- : runnerstats.rb:38:in `validated' Incrementing validated stat
D, [2013-06-11T18:17:10.778471 #2686] DEBUG -- : pluginmanager.rb:83:in `[]' Returning cached plugin security_plugin with class MCollective::Security::Psk
D, [2013-06-11T18:17:10.778691 #2686] DEBUG -- : pluginmanager.rb:83:in `[]' Returning cached plugin security_plugin with class MCollective::Security::Psk
D, [2013-06-11T18:17:10.779038 #2686] DEBUG -- : base.rb:117:in `block (2 levels) in validate_filter?' Passing based on agent openshift
D, [2013-06-11T18:17:10.779409 #2686] DEBUG -- : base.rb:142:in `block in validate_filter?' Passing based on identity
D, [2013-06-11T18:17:10.779609 #2686] DEBUG -- : base.rb:153:in `validate_filter?' Message passed the filter checks
D, [2013-06-11T18:17:10.779834 #2686] DEBUG -- : runnerstats.rb:26:in `passed' Incrementing passed stat
D, [2013-06-11T18:17:10.780021 #2686] DEBUG -- : runner.rb:80:in `agentmsg' Handling message for agent 'openshift' on collective 'mcollective'
D, [2013-06-11T18:17:10.780456 #2686] DEBUG -- : agents.rb:119:in `dispatch' Dispatching a message to agent openshift
D, [2013-06-11T18:17:10.780747 #2686] DEBUG -- : stomp.rb:197:in `receive' Waiting for a message from Stomp
D, [2013-06-11T18:17:10.785358 #2686] DEBUG -- : pluginmanager.rb:88:in `[]' Returning new plugin openshift_agent with class MCollective::Agent::Openshift
D, [2013-06-11T18:17:10.785718 #2686] DEBUG -- : cache.rb:105:in `read' Cache hit on 'ddl' key 'agent/openshift'
I, [2013-06-11T18:17:10.788429 #2686]  INFO -- : openshift.rb:42:in `cartridge_do_action' cartridge_do_action call / action: cartridge_do, agent=openshift, data={:cartridge=>"mysql-5.1",
 :action=>"deconfigure",
 :args=>
  {"--with-app-uuid"=>"51b768d485194366c4000045",
   "--with-app-name"=>"teste",
   "--with-container-uuid"=>"51b768d485194366c4000045",
   "--with-container-name"=>"teste",
   "--with-namespace"=>"caruccio",
   "--with-uid"=>1414,
   "--with-request-id"=>"a962e56f2b5380b8b772912d182862d7",
   "--cart-name"=>"mysql-5.1"},
 :process_results=>true}

I, [2013-06-11T18:17:10.789512 #2686]  INFO -- : openshift.rb:43:in `cartridge_do_action' cartridge_do_action validation = mysql-5.1 deconfigure {"--with-app-uuid"=>"51b768d485194366c4000045", "--with-app-name"=>"teste", "--with-container-uuid"=>"51b768d485194366c4000045", "--with-container-name"=>"teste", "--with-namespace"=>"caruccio", "--with-uid"=>1414, "--with-request-id"=>"a962e56f2b5380b8b772912d182862d7", "--cart-name"=>"mysql-5.1"}
I, [2013-06-11T18:17:10.789989 #2686]  INFO -- : openshift.rb:82:in `execute_action' Executing action [deconfigure] using method oo_deconfigure with args [{"--with-app-uuid"=>"51b768d485194366c4000045", "--with-app-name"=>"teste", "--with-container-uuid"=>"51b768d485194366c4000045", "--with-container-name"=>"teste", "--with-namespace"=>"caruccio", "--with-uid"=>1414, "--with-request-id"=>"a962e56f2b5380b8b772912d182862d7", "--cart-name"=>"mysql-5.1"}]
I, [2013-06-11T18:17:14.675385 #2686]  INFO -- : openshift.rb:91:in `execute_action' Finished executing action [deconfigure] (0)
I, [2013-06-11T18:17:14.675620 #2686]  INFO -- : openshift.rb:62:in `cartridge_do_action' cartridge_do_action reply (0):
------
No IP specified
/opt/rh/ruby193/root/usr/share/gems/gems/openshift-origin-node-1.7.26/lib/openshift-origin-node/model/frontend_proxy.rb:203:in `find_mapped_proxy_port'
/opt/rh/ruby193/root/usr/share/gems/gems/openshift-origin-node-1.7.26/lib/openshift-origin-node/model/application_container.rb:201:in `block in delete_public_endpoints'
/opt/rh/ruby193/root/usr/share/gems/gems/openshift-origin-node-1.7.26/lib/openshift-origin-node/model/application_container.rb:195:in `each'
/opt/rh/ruby193/root/usr/share/gems/gems/openshift-origin-node-1.7.26/lib/openshift-origin-node/model/application_container.rb:195:in `delete_public_endpoints'
/usr/bin/oo-delete-endpoints:71:in `<main>'
MySQL already stopped

------)

audit.log

type=AVC msg=audit(1370974889.684:2013548): avc:  denied  { search } for  pid=12389 comm="mysqld" name="/" dev=xvdo ino=2 scontext=unconfined_u:system_r:mysqld_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1370974889.684:2013548): arch=c000003e syscall=4 success=no exit=-13 a0=7fff380eea90 a1=7fff380eb9f0 a2=7fff380eb9f0 a3=fffffffffffffffd items=0 ppid=12373 pid=12389 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21727 comm="mysqld" exe="/usr/libexec/mysqld" subj=unconfined_u:system_r:mysqld_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1370974889.686:2013549): avc:  denied  { getattr } for  pid=12389 comm="mysqld" path="/var/lib/openshift" dev=xvdo ino=2 scontext=unconfined_u:system_r:mysqld_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1370974889.686:2013549): arch=c000003e syscall=6 success=no exit=-13 a0=7fff380ede00 a1=7fff380edd30 a2=7fff380edd30 a3=10 items=0 ppid=12373 pid=12389 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21727 comm="mysqld" exe="/usr/libexec/mysqld" subj=unconfined_u:system_r:mysqld_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1370974889.690:2013550): avc:  denied  { search } for  pid=12389 comm="mysqld" name="/" dev=xvdo ino=2 scontext=unconfined_u:system_r:mysqld_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1370974889.690:2013550): arch=c000003e syscall=87 success=no exit=-13 a0=7fff380eec40 a1=0 a2=0 a3=fffffffffffffffd items=0 ppid=12373 pid=12389 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21727 comm="mysqld" exe="/usr/libexec/mysqld" subj=unconfined_u:system_r:mysqld_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1370974889.690:2013551): avc:  denied  { search } for  pid=12389 comm="mysqld" name="/" dev=xvdo ino=2 scontext=unconfined_u:system_r:mysqld_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1370974889.690:2013551): arch=c000003e syscall=2 success=no exit=-13 a0=7fff380eee40 a1=42 a2=1b6 a3=fffffffffffffffd items=0 ppid=12373 pid=12389 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21727 comm="mysqld" exe="/usr/libexec/mysqld" subj=unconfined_u:system_r:mysqld_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1370974889.691:2013552): avc:  denied  { search } for  pid=12389 comm="mysqld" name="/" dev=xvdo ino=2 scontext=unconfined_u:system_r:mysqld_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1370974889.691:2013552): arch=c000003e syscall=87 success=no exit=-13 a0=7fff380eec40 a1=0 a2=0 a3=fffffffffffffffd items=0 ppid=12373 pid=12389 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21727 comm="mysqld" exe="/usr/libexec/mysqld" subj=unconfined_u:system_r:mysqld_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1370974889.691:2013553): avc:  denied  { search } for  pid=12389 comm="mysqld" name="/" dev=xvdo ino=2 scontext=unconfined_u:system_r:mysqld_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1370974889.691:2013553): arch=c000003e syscall=2 success=no exit=-13 a0=7fff380eee40 a1=42 a2=1b6 a3=fffffffffffffffd items=0 ppid=12373 pid=12389 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21727 comm="mysqld" exe="/usr/libexec/mysqld" subj=unconfined_u:system_r:mysqld_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1370974889.691:2013554): avc:  denied  { search } for  pid=12389 comm="mysqld" name="/" dev=xvdo ino=2 scontext=unconfined_u:system_r:mysqld_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_lib_t:s0 tclass=dir
Comment 1 Krishna Raman 2013-06-13 11:03:31 UTC 
I think this is related to v1 cartridges.
Comment 2 Krishna Raman 2013-06-13 11:04:36 UTC 
@Diego perhaps you should downgrade to the selinux rpms that work since we wont be supporting v1 cartridges any longer in Origin.
Comment 3 Diego Castro 2013-06-13 13:27:42 UTC 
I did, just sent bug to be sure it doesn't affect v2 cartridges.
Comment 4 Dan McPherson 2014-03-12 20:25:48 UTC 
Fixed with v2 cartridges.