Bug 999117

Summary: oo-admin-cartridge -a install does not restorecon the installed cartridge
Product: OKD Reporter: Luke Meyer <lmeyer>
Component: ContainersAssignee: Jhon Honce <jhonce>
Status: CLOSED CURRENTRELEASE QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.xCC: mmasters, pep, yadu
Target Milestone: ---Keywords: UpcomingRelease
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-30 00:46:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 998995, 1053029    

Description Luke Meyer 2013-08-20 18:52:01 UTC 
Description of problem:
If you do:
oo-admin-cartridge -a install -s /path/to/cartridge
... then the cartridge is installed with a copy of the original context it was checked out in.

The specific problem that happened was that a git repo was checked out in /root and then installed. Then cron was unable to update the mco cart_list fact because it couldn't read context admin_home_t. Other more serious problems may be imagined.

Version-Release number of selected component (if applicable):
OSE rubygem-openshift-origin-node-1.9.14.1 but also in current repo

Steps to Reproduce:
1. On a node, make sure SELinux is enforcing: setenforce 1
2. cd /root
3. git clone https://github.com/openshift/origin-server.git
4. oo-admin-cartridge -a install -s origin-server/cartridges/openshift-origin-cartridge-phpmyadmin
5. grep cart_list /etc/mcollective/facts.yaml
6. wait for (5) to change

Actual results:
The cartridge list never changes. If you setenforce 0 and look in the audit.log, you'll see it's being denied based on the context of the installed cartridge.

Expected results:
Cartridge should always be installed in the cartridge repository with the correct context, e.g.:
# ls -lZ /var/lib/openshift/.cartridge_repository/redhat-phpmyadmin/0.0.1/metadata/manifest.yml
-rw-r--r--. root root unconfined_u:object_r:openshift_var_lib_t:s0 /var/lib/openshift/.cartridge_repository/redhat-phpmyadmin/0.0.1/metadata/manifest.yml

Additional info:
As of this writing, looks like the problem is here:
https://github.com/openshift/origin-server/blob/master/node/lib/openshift-origin-node/model/cartridge_repository.rb#L179

Utils.oo_spawn("shopt -s dotglob; /bin/cp -ad #{directory}/* #{entry.repository_path}",
                         expected_exitstatus: 0)

cp -a retains SELinux context. Should that perhaps be followed by "&& restorecon -R #{entry.repository_path}" ?
Comment 1 Miciah Dashiel Butler Masters 2013-09-10 17:02:13 UTC 
Pull request:   https://github.com/openshift/origin-server/pull/3601
Comment 2 openshift-github-bot 2014-01-14 00:56:14 UTC 
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/9af45ffce31442fb723b85761a798999d88251c8
CartridgeRepository#install: Don't keep context

Don't preserve the context when installing a cartridge into the cartridge
repository.  The cartridge needs to be relabeled using the default
contexts.

This commit fixes bug 999117.
Comment 3 Yan Du 2014-01-15 10:09:25 UTC 
Test on devenv_4224

[root@ip-10-73-161-138 ~]# setenforce 1
[root@ip-10-73-161-138 ~]# ls -lZ origin-server/cartridges/openshift-origin-cartridge-phpmyadmin/metadata/manifest.yml
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 origin-server/cartridges/openshift-origin-cartridge-phpmyadmin/metadata/manifest.yml


[root@ip-10-73-161-138 ~]# oo-admin-cartridge -a install -s origin-server/cartridges/openshift-origin-cartridge-phpmyadmin
succeeded

[root@ip-10-71-138-94 .cartridge_repository]# ls -lZ /var/lib/openshift/.cartridge_repository/redhat-phpmyadmin/0.0.6/metadata/manifest.yml 
-rw-r--r--. root root system_u:object_r:openshift_var_lib_t:s0 /var/lib/openshift/.cartridge_repository/redhat-phpmyadmin/0.0.6/metadata/manifest.yml

The cartridge is relabeled using the default contexts.

Move to verified.