Bug 1105344
| Summary: | AVCs of "load_policy" and "swift-proxy-ser" during nova-controller deployments. | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Omri Hochman <ohochman> | ||||||||||
| Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> | ||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Alexander Chuzhoy <sasha> | ||||||||||
| Severity: | high | Docs Contact: | |||||||||||
| Priority: | high | ||||||||||||
| Version: | 5.0 (RHEL 6) | CC: | aberezin, fdupont, lhh, mgrepl, morazi, rhallise, rhos-maint, sasha, yeylon, zaitcev | ||||||||||
| Target Milestone: | rc | ||||||||||||
| Target Release: | 5.0 (RHEL 7) | ||||||||||||
| Hardware: | x86_64 | ||||||||||||
| OS: | Linux | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | openstack-selinux-0.5.4-1.el7ost | Doc Type: | Bug Fix | ||||||||||
| Doc Text: | Story Points: | --- | |||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2014-07-08 15:14:13 UTC | Type: | Bug | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Attachments: |
|
||||||||||||
Created attachment 902706 [details]
messages
The first two don't look like they were caused by swift. The last 3 are all the same, but we need to know what swift's doing with those files (it may be specific to Staypuft) Pete - any ideas what swift does with those files - they're they ones in /etc/httpd/conf, /etc/httpd/conf.d, /etc/httpd/conf.modules.d? I don't see anything obvious on a non-staypuft deployment. Lon, these are Apache configuration files. Swift itself does not even know they exist, since it's a WSGI app. We (RHOS/RDO) do not support running Swift under Apache (through mod_wsgi or other means), and do not provide any configuration samples to do that, so our RPMs never touch /etc/httpd/*, but the code is included to support Apache if anyone is sufficiently entreprising. Sorry, I don't know what "Staypuft" is. But I suspect Omri's customer configured Apache to run Swift in this case, and Swift's SElinux policy was caught flat-footed by such trickery. Created attachment 907855 [details]
audit.log
adding audit.log
Interestingly, the audit.log has different AVCs in it. I wonder if the original AVCs are no longer a problem.
require {
type keystone_port_t;
type memcache_port_t;
type swift_t;
class tcp_socket name_connect;
}
#============= swift_t ==============
allow swift_t keystone_port_t:tcp_socket name_connect;
allow swift_t memcache_port_t:tcp_socket name_connect;
^ This is all valid for swift to do.
I also reproduced the swift ones on selinux-policy-3.12.1-153.el7_0.10 https://github.com/redhat-openstack/openstack-selinux/commit/9334f2c6f8a456507a7fa77bf29c656318782ee7 Thanks to Miroslav Grepl for his input. Environment:
foreman-installer-staypuft-0.0.18-1.el6ost.noarch
ruby193-rubygem-staypuft-0.1.4-1.el6ost.noarch
openstack-puppet-modules-2014.1-14.6.el7ost.noarch
openstack-foreman-installer-2.0.7-1.el6ost.noarch
ruby193-rubygem-foreman_openstack_simplify-0.0.6-7.el6ost.noarch
Seems like the reported bug is still there.
Geting the below AVC messages in /var/log/messages upon attempt to start the openstack-swift-proxy.service
Jun 18 21:38:37 525400702875 proxy-server: Pipeline was modified. New pipeline is "catch_errors gatekeeper healthcheck memcache proxy_logging dlo keystoneclient.middleware.auth_token:filter_factory keystoneauth proxy_logging proxy".
Jun 18 21:38:37 525400702875 kernel: type=1400 audit(1403127517.246:354): avc: denied { search } for pid=16375 comm="swift-proxy-ser" name="httpd" dev="dm-0" ino=18634538 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir
Jun 18 21:38:37 525400702875 kernel: type=1400 audit(1403127517.289:355): avc: denied { search } for pid=16375 comm="swift-proxy-ser" name="httpd" dev="dm-0" ino=18634538 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir
Jun 18 21:38:37 525400702875 kernel: type=1400 audit(1403127517.289:356): avc: denied { search } for pid=16375 comm="swift-proxy-ser" name="httpd" dev="dm-0" ino=18634538 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir
After manually restarting the service this is the status:
systemctl status openstack-swift-proxy.service
openstack-swift-proxy.service - OpenStack Object Storage (swift) - Proxy Server
Loaded: loaded (/usr/lib/systemd/system/openstack-swift-proxy.service; enabled)
Active: active (running) since Wed 2014-06-18 21:38:36 UTC; 2min 5s ago
Main PID: 16370 (swift-proxy-ser)
CGroup: /system.slice/openstack-swift-proxy.service
├─16370 /usr/bin/python /usr/bin/swift-proxy-server /etc/swift/proxy-server.conf
└─16375 /usr/bin/python /usr/bin/swift-proxy-server /etc/swift/proxy-server.conf
Jun 18 21:38:37 525400702875.example.com proxy-server[16370]: Adding required filter dlo to pipeline at position 3
Jun 18 21:38:37 525400702875.example.com proxy-server[16370]: Adding required filter gatekeeper to pipeline at position 0
Jun 18 21:38:37 525400702875.example.com proxy-server[16370]: Adding required filter catch_errors to pipeline at position 0
Jun 18 21:38:37 525400702875.example.com proxy-server[16370]: Pipeline was modified. New pipeline is "catch_errors gatekeeper healthcheck memcache proxy_logging dlo keystoneclient.middleware.auth_t...gging proxy".
Jun 18 21:38:37 525400702875.example.com swift-proxy-server[16370]: No handlers could be found for logger "swift"
Jun 18 21:38:37 525400702875.example.com proxy-server[16370]: Started child 16375
Jun 18 21:38:37 525400702875.example.com proxy-server[16375]: Adding required filter dlo to pipeline at position 3
Jun 18 21:38:37 525400702875.example.com proxy-server[16375]: Adding required filter gatekeeper to pipeline at position 0
Jun 18 21:38:37 525400702875.example.com proxy-server[16375]: Adding required filter catch_errors to pipeline at position 0
Jun 18 21:38:37 525400702875.example.com proxy-server[16375]: Pipeline was modified. New pipeline is "catch_errors gatekeeper healthcheck memcache proxy_logging dlo keystoneclient.middleware.auth_t...gging proxy".
Hint: Some lines were ellipsized, use -l to show in full.
Created attachment 910173 [details]
Includes the AVC denial messages upon attempt to start the openstack-nova-network.service with selinux enforced.
Environment (plus selinux version): foreman-installer-staypuft-0.0.18-1.el6ost.noarch ruby193-rubygem-staypuft-0.1.4-1.el6ost.noarch openstack-puppet-modules-2014.1-14.6.el7ost.noarch openstack-foreman-installer-2.0.7-1.el6ost.noarch ruby193-rubygem-foreman_openstack_simplify-0.0.6-7.el6ost.noarch selinux-policy-targeted-3.12.1-153.el7_0.10.noarch libselinux-2.2.2-6.el7.x86_64 selinux-policy-3.12.1-153.el7_0.10.noarch libselinux-ruby-2.2.2-6.el7.x86_64 libselinux-utils-2.2.2-6.el7.x86_64 libselinux-python-2.2.2-6.el7.x86_64 Unable to start the openstack-nova-network.service with selinux enforced on the compute node. Attached the audit.log. Created attachment 910882 [details]
audit.log with AVC messages.
Verified: FailedQA Failed-qa with foreman-installer-staypuft-0.0.20-1.el6ost.noarch Environment: libselinux-ruby-2.0.94-5.3.el6_4.1.x86_64 selinux-policy-targeted-3.7.19-231.el6.noarch foreman-installer-staypuft-0.0.20-1.el6ost.noarch ruby193-rubygem-staypuft-0.1.4-1.el6ost.noarch libselinux-utils-2.0.94-5.3.el6_4.1.x86_64 libselinux-2.0.94-5.3.el6_4.1.x86_64 openstack-puppet-modules-2014.1-16.2.el6ost.noarch openstack-foreman-installer-2.0.8-1.el6ost.noarch foreman-selinux-1.6.0-2.el6sat.noarch libselinux-python-2.0.94-5.3.el6_4.1.x86_64 selinux-policy-3.7.19-231.el6.noarch ruby193-rubygem-foreman_openstack_simplify-0.0.6-7.el6ost.noarch There are errors and AVC messages related to the swift-proxy-ser on the controller. The audit.log from the controller is attached (above). *** Bug 1112006 has been marked as a duplicate of this bug. *** Verified: rhel-osp-installer-0.0.25-5.el6ost.noarch There are no AVCs of "load_policy" and "swift-proxy-ser". Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2014-0845.html |
Rubygem-Staypuft: AVCs of "load_policy" and "swift-proxy-ser" during nova-controller deployments. Environment: ------------- foreman-installer-staypuft-0.0.14-1.el6ost.noarch ruby193-rubygem-staypuft-0.1.0-1.el6ost.noarch puppet-3.3.2-2.el6.noarch openstack-puppet-modules-2014.1-12.el6ost.noarch puppet-server-3.3.2-2.el6.noarch libselinux-2.2.2-6.el7.x86_64 selinux-policy-targeted-3.12.1-153.el7_0.10.noarch libselinux-ruby-2.2.2-6.el7.x86_64 libselinux-utils-2.2.2-6.el7.x86_64 libselinux-python-2.2.2-6.el7.x86_64 selinux-policy-3.12.1-153.el7_0.10.noarch Steps: ------- (1) Install staypuft (2) auto-discover hosts (3) Create Non-Ha deployment ( Nova-network or Neutron.) (4) Attempt to deploy and look at the /var/log/messages Results: -------- (-)multiple AVC errors . /var/log/messages (file attached) : ------------------------------------ Jun 5 21:18:42 001a4a16981f kernel: type=1400 audit(1402003122.328:5): avc: denied { write } for pid=10975 comm="load_policy" path="pipe:[44392]" dev="pipefs" ino=44392 scontext=system_u:system_r:load_policy_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fifo_file Jun 5 21:18:42 001a4a16981f kernel: type=1400 audit(1402003122.328:5): avc: denied { write } for pid=10975 comm="load_policy" path="pipe:[44392]" dev="pipefs" ino=44392 scontext=system_u:system_r:load_policy_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fifo_file Jun 5 21:26:46 001a4a16981f kernel: type=1400 audit(1402003606.408:17): avc: denied { search } for pid=14781 comm="swift-proxy-ser" name="httpd" dev="dm-1" ino=1043403 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir Jun 5 21:26:46 001a4a16981f kernel: type=1400 audit(1402003606.538:18): avc: denied { search } for pid=14780 comm="swift-proxy-ser" name="httpd" dev="dm-1" ino=1043403 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir Jun 5 21:26:46 001a4a16981f kernel: type=1400 audit(1402003606.538:19): avc: denied { search } for pid=14780 comm="swift-proxy-ser" name="httpd" dev="dm-1" ino=1043403 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir Jun 5 21:26:47 001a4a16981f systemd: Reloading.