Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1105344

Summary: AVCs of "load_policy" and "swift-proxy-ser" during nova-controller deployments.
Product: Red Hat OpenStack Reporter: Omri Hochman <ohochman>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Alexander Chuzhoy <sasha>
Severity: high Docs Contact:
Priority: high    
Version: 5.0 (RHEL 6)CC: aberezin, fdupont, lhh, mgrepl, morazi, rhallise, rhos-maint, sasha, yeylon, zaitcev
Target Milestone: rc   
Target Release: 5.0 (RHEL 7)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-selinux-0.5.4-1.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-08 15:14:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
messages
none
audit.log
none
Includes the AVC denial messages upon attempt to start the openstack-nova-network.service with selinux enforced.
none
audit.log with AVC messages. none

Description Omri Hochman 2014-06-05 22:58:36 UTC
Rubygem-Staypuft: AVCs of "load_policy" and "swift-proxy-ser" during nova-controller deployments.  

Environment:
-------------
foreman-installer-staypuft-0.0.14-1.el6ost.noarch
ruby193-rubygem-staypuft-0.1.0-1.el6ost.noarch
puppet-3.3.2-2.el6.noarch
openstack-puppet-modules-2014.1-12.el6ost.noarch
puppet-server-3.3.2-2.el6.noarch
libselinux-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.12.1-153.el7_0.10.noarch
libselinux-ruby-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-3.12.1-153.el7_0.10.noarch



Steps:
-------
(1) Install staypuft
(2) auto-discover hosts 
(3) Create Non-Ha deployment ( Nova-network or Neutron.) 
(4) Attempt to deploy and look at the /var/log/messages



Results: 
--------
(-)multiple AVC errors .

/var/log/messages (file attached) : 
------------------------------------
Jun  5 21:18:42 001a4a16981f kernel: type=1400 audit(1402003122.328:5): avc:  denied  { write } for  pid=10975 comm="load_policy" path="pipe:[44392]" dev="pipefs" ino=44392 scontext=system_u:system_r:load_policy_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fifo_file

Jun  5 21:18:42 001a4a16981f kernel: type=1400 audit(1402003122.328:5): avc:  denied  { write } for  pid=10975 comm="load_policy" path="pipe:[44392]" dev="pipefs" ino=44392 scontext=system_u:system_r:load_policy_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fifo_file

Jun  5 21:26:46 001a4a16981f kernel: type=1400 audit(1402003606.408:17): avc:  denied  { search } for  pid=14781 comm="swift-proxy-ser" name="httpd" dev="dm-1" ino=1043403 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir
Jun  5 21:26:46 001a4a16981f kernel: type=1400 audit(1402003606.538:18): avc:  denied  { search } for  pid=14780 comm="swift-proxy-ser" name="httpd" dev="dm-1" ino=1043403 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir
Jun  5 21:26:46 001a4a16981f kernel: type=1400 audit(1402003606.538:19): avc:  denied  { search } for  pid=14780 comm="swift-proxy-ser" name="httpd" dev="dm-1" ino=1043403 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir
Jun  5 21:26:47 001a4a16981f systemd: Reloading.

Comment 1 Omri Hochman 2014-06-05 23:02:01 UTC
Created attachment 902706 [details]
messages

Comment 3 Lon Hohberger 2014-06-09 21:59:18 UTC
The first two don't look like they were caused by swift. 

The last 3 are all the same, but we need to know what swift's doing with those files (it may be specific to Staypuft)

Pete - any ideas what swift does with those files - they're they ones in /etc/httpd/conf, /etc/httpd/conf.d, /etc/httpd/conf.modules.d? 

I don't see anything obvious on a non-staypuft deployment.

Comment 4 Pete Zaitcev 2014-06-10 20:34:33 UTC
Lon, these are Apache configuration files. Swift itself does not even
know they exist, since it's a WSGI app. We (RHOS/RDO) do not support
running Swift under Apache (through mod_wsgi or other means), and
do not provide any configuration samples to do that, so our RPMs never
touch /etc/httpd/*, but the code is included to support Apache if
anyone is sufficiently entreprising.

Sorry, I don't know what "Staypuft" is. But I suspect Omri's customer
configured Apache to run Swift in this case, and Swift's SElinux policy
was caught flat-footed by such trickery.

Comment 5 Omri Hochman 2014-06-11 20:09:44 UTC
Created attachment 907855 [details]
audit.log

adding audit.log

Comment 6 Lon Hohberger 2014-06-12 22:22:04 UTC
Interestingly, the audit.log has different AVCs in it.  I wonder if the original AVCs are no longer a problem.

Comment 7 Lon Hohberger 2014-06-12 22:25:51 UTC
require {
	type keystone_port_t;
	type memcache_port_t;
	type swift_t;
	class tcp_socket name_connect;
}

#============= swift_t ==============
allow swift_t keystone_port_t:tcp_socket name_connect;
allow swift_t memcache_port_t:tcp_socket name_connect;


^ This is all valid for swift to do.

Comment 8 Lon Hohberger 2014-06-12 22:26:34 UTC
I also reproduced the swift ones on selinux-policy-3.12.1-153.el7_0.10

Comment 12 Lon Hohberger 2014-06-13 08:58:11 UTC
https://github.com/redhat-openstack/openstack-selinux/commit/9334f2c6f8a456507a7fa77bf29c656318782ee7

Thanks to Miroslav Grepl for his input.

Comment 13 Alexander Chuzhoy 2014-06-18 21:42:30 UTC
Environment:
foreman-installer-staypuft-0.0.18-1.el6ost.noarch
ruby193-rubygem-staypuft-0.1.4-1.el6ost.noarch
openstack-puppet-modules-2014.1-14.6.el7ost.noarch
openstack-foreman-installer-2.0.7-1.el6ost.noarch
ruby193-rubygem-foreman_openstack_simplify-0.0.6-7.el6ost.noarch


Seems like the reported bug is still there.
Geting the below AVC messages in /var/log/messages upon attempt to start the openstack-swift-proxy.service 



Jun 18 21:38:37 525400702875 proxy-server: Pipeline was modified. New pipeline is "catch_errors gatekeeper healthcheck memcache proxy_logging dlo keystoneclient.middleware.auth_token:filter_factory keystoneauth proxy_logging proxy".
Jun 18 21:38:37 525400702875 kernel: type=1400 audit(1403127517.246:354): avc:  denied  { search } for  pid=16375 comm="swift-proxy-ser" name="httpd" dev="dm-0" ino=18634538 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir
Jun 18 21:38:37 525400702875 kernel: type=1400 audit(1403127517.289:355): avc:  denied  { search } for  pid=16375 comm="swift-proxy-ser" name="httpd" dev="dm-0" ino=18634538 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir
Jun 18 21:38:37 525400702875 kernel: type=1400 audit(1403127517.289:356): avc:  denied  { search } for  pid=16375 comm="swift-proxy-ser" name="httpd" dev="dm-0" ino=18634538 scontext=system_u:system_r:swift_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir




After manually restarting the service this is the status:

systemctl status openstack-swift-proxy.service
openstack-swift-proxy.service - OpenStack Object Storage (swift) - Proxy Server
   Loaded: loaded (/usr/lib/systemd/system/openstack-swift-proxy.service; enabled)
   Active: active (running) since Wed 2014-06-18 21:38:36 UTC; 2min 5s ago
 Main PID: 16370 (swift-proxy-ser)
   CGroup: /system.slice/openstack-swift-proxy.service
           ├─16370 /usr/bin/python /usr/bin/swift-proxy-server /etc/swift/proxy-server.conf
           └─16375 /usr/bin/python /usr/bin/swift-proxy-server /etc/swift/proxy-server.conf

Jun 18 21:38:37 525400702875.example.com proxy-server[16370]: Adding required filter dlo to pipeline at position 3
Jun 18 21:38:37 525400702875.example.com proxy-server[16370]: Adding required filter gatekeeper to pipeline at position 0
Jun 18 21:38:37 525400702875.example.com proxy-server[16370]: Adding required filter catch_errors to pipeline at position 0
Jun 18 21:38:37 525400702875.example.com proxy-server[16370]: Pipeline was modified. New pipeline is "catch_errors gatekeeper healthcheck memcache proxy_logging dlo keystoneclient.middleware.auth_t...gging proxy".
Jun 18 21:38:37 525400702875.example.com swift-proxy-server[16370]: No handlers could be found for logger "swift"
Jun 18 21:38:37 525400702875.example.com proxy-server[16370]: Started child 16375
Jun 18 21:38:37 525400702875.example.com proxy-server[16375]: Adding required filter dlo to pipeline at position 3
Jun 18 21:38:37 525400702875.example.com proxy-server[16375]: Adding required filter gatekeeper to pipeline at position 0
Jun 18 21:38:37 525400702875.example.com proxy-server[16375]: Adding required filter catch_errors to pipeline at position 0
Jun 18 21:38:37 525400702875.example.com proxy-server[16375]: Pipeline was modified. New pipeline is "catch_errors gatekeeper healthcheck memcache proxy_logging dlo keystoneclient.middleware.auth_t...gging proxy".
Hint: Some lines were ellipsized, use -l to show in full.

Comment 14 Alexander Chuzhoy 2014-06-18 21:49:58 UTC
Created attachment 910173 [details]
Includes the AVC denial messages upon attempt to start the openstack-nova-network.service with selinux enforced.

Comment 15 Alexander Chuzhoy 2014-06-18 21:50:33 UTC
Environment (plus selinux version):
foreman-installer-staypuft-0.0.18-1.el6ost.noarch
ruby193-rubygem-staypuft-0.1.4-1.el6ost.noarch
openstack-puppet-modules-2014.1-14.6.el7ost.noarch
openstack-foreman-installer-2.0.7-1.el6ost.noarch
ruby193-rubygem-foreman_openstack_simplify-0.0.6-7.el6ost.noarch
selinux-policy-targeted-3.12.1-153.el7_0.10.noarch
libselinux-2.2.2-6.el7.x86_64
selinux-policy-3.12.1-153.el7_0.10.noarch
libselinux-ruby-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64


Unable to start the openstack-nova-network.service with selinux enforced on the compute node.
Attached the audit.log.

Comment 17 Alexander Chuzhoy 2014-06-20 20:06:21 UTC
Created attachment 910882 [details]
audit.log with AVC messages.

Comment 18 Alexander Chuzhoy 2014-06-20 20:07:25 UTC
Verified: FailedQA
Failed-qa with foreman-installer-staypuft-0.0.20-1.el6ost.noarch

Environment:
libselinux-ruby-2.0.94-5.3.el6_4.1.x86_64
selinux-policy-targeted-3.7.19-231.el6.noarch
foreman-installer-staypuft-0.0.20-1.el6ost.noarch
ruby193-rubygem-staypuft-0.1.4-1.el6ost.noarch
libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
libselinux-2.0.94-5.3.el6_4.1.x86_64
openstack-puppet-modules-2014.1-16.2.el6ost.noarch
openstack-foreman-installer-2.0.8-1.el6ost.noarch
foreman-selinux-1.6.0-2.el6sat.noarch
libselinux-python-2.0.94-5.3.el6_4.1.x86_64
selinux-policy-3.7.19-231.el6.noarch
ruby193-rubygem-foreman_openstack_simplify-0.0.6-7.el6ost.noarch

There are errors and AVC messages related to the swift-proxy-ser on the controller.

The audit.log from the controller is attached (above).

Comment 19 Lon Hohberger 2014-06-23 13:53:48 UTC
*** Bug 1112006 has been marked as a duplicate of this bug. ***

Comment 21 Alexander Chuzhoy 2014-06-27 21:03:49 UTC
Verified: rhel-osp-installer-0.0.25-5.el6ost.noarch


There are no AVCs of "load_policy" and "swift-proxy-ser".

Comment 23 errata-xmlrpc 2014-07-08 15:14:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-0845.html