Bug 1038237 - [selinux policy] openshift selinux policy needs to allow for transition
Summary: [selinux policy] openshift selinux policy needs to allow for transition
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Online
Classification: Red Hat
Component: Containers
Version: 2.x
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 2.x
Assignee: Jhon Honce
QA Contact: libra bugs
URL:
Whiteboard:
: 1040145 (view as bug list)
Depends On:
Blocks: 1032691 1039851
TreeView+ depends on / blocked
 
Reported: 2013-12-04 16:55 UTC by Kenny Woodson
Modified: 2015-07-07 23:48 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-07 23:48:47 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Kenny Woodson 2013-12-04 16:55:24 UTC 
Description of problem:

We have our zabbix monitoring user perform restarts of services when he detects that they are down.  During a recent mcollective restart we noticed that the selinux contexts had changed.  Here is what it looks like:

system_u:system_r:zabbix_agent_t:s0 (mcollective process)

Normally it is:

system_u:system_r:openshift_initrc_t:s0-s0:c0.c1023
OR
unconfined_u:system_r:openshift_initrc_t:s0-s0:c0.c1023

It appears that the service restart from zabbix needs to allow the transition back to the openshift context. 

Version-Release number of selected component (if applicable):
Current.

How reproducible:
Very in our environment.

Steps to Reproduce:
1.  As root, stop the mcollective service
2.  Zabbix will detect that mcollective is down and attempt to restart it.
3.  Once restarted it will have the new context.

Actual results:

Mcollective process now has zabbix_agent_t as a context.

Expected results:

Should return to openshift_initrc_t.

Additional info:

Please let me know if you need any information on this.  Excuse my ignorance when it comes to selinux but I believe we would like our policy to allow the zabbix user to restart services and for those services to transition back to their normal contexts.

I believe this is new as of RHEL 6.5
Comment 1 Jhon Honce 2013-12-10 20:18:20 UTC 
*** Bug 1040145 has been marked as a duplicate of this bug. ***
Comment 2 openshift-github-bot 2013-12-20 02:36:38 UTC 
Commit pushed to master at https://github.com/openshift/li

https://github.com/openshift/li/commit/d22e439902d96b4c9767b674a217313cba829d40
Bug 1038237 - unconfine Zabbix agent for Online

* As a stop gap solution for OpenShift Online add selinux policy
  to unconfine Zabbix agent. Code provided by dwalsh.
Comment 3 Michal Fojtik 2014-01-24 09:26:19 UTC 
With the recent commit pushed to 'li', shouldn't this BZ be ON_QA?

Also, is there relation with https://bugzilla.redhat.com/show_bug.cgi?id=1032691?
Comment 4 Jhon Honce 2014-01-24 15:19:50 UTC 
Stop gap solution was put in place, waiting on backport of permanent solution from selinux team. BZ#1032691 is tracking that change.
Comment 5 Dan McPherson 2014-02-08 00:51:49 UTC 
Jhon, so do we need this bug in addition to 1032691?
Comment 6 Jhon Honce 2014-02-10 15:20:30 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1032691 is tracking the change in the default policy files, this bug is to remind us to pull the customized policies for Online.
Comment 7 Dan McPherson 2015-06-11 21:49:35 UTC 
Jhon,  looks like the above references are all closed.  Something we need to do now?
Comment 9 Jhon Honce 2015-06-16 17:16:49 UTC 
Fixed in https://github.com/openshift/li/pull/3021
Comment 10 openshift-github-bot 2015-06-17 01:15:19 UTC 
Commit pushed to master at https://github.com/openshift/li

https://github.com/openshift/li/commit/47dba74db2df0556a6f40a0fa7e7faa7c853e531
Bug 1038237 - remove online Zabbix policy

* Revert d22e439902d96b4c9767b674a217313cba829d40
Comment 11 zhaozhanqi 2015-06-24 06:37:11 UTC 
since zabbix has been remove from li, so Verified this bug
Note You need to log in before you can comment on or make changes to this bug.