1119400 – glance image-create fails with Selinux enabled and using Ceph/rbd

Bug 1119400 - glance image-create fails with Selinux enabled and using Ceph/rbd

Summary: glance image-create fails with Selinux enabled and using Ceph/rbd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	5.0 (RHEL 7)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	5.0 (RHEL 7)
Assignee:	Ryan Hallisey
QA Contact:	Tzach Shefi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-07-14 17:00 UTC by Keith Schincke
Modified:	2016-04-26 17:04 UTC (History)
CC List:	12 users (show)
Fixed In Version:	openstack-selinux-0.5.14-3.el7ost
Doc Type:	Bug Fix
Doc Text:	Previously, SELinux in enforcing mode prevented image creation in the Image Service (glance) when using Ceph storage (RADOS block devices). This meant that image creation failed, and SELinux generated AVC messages. With this update, the Image Service can now write to memory with the same label, so that image creation succeeds and no AVC messages are output.
Clone Of:
Environment:
Last Closed:	2014-07-24 17:23:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:0937	0	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform Bug Fix and Enhancement Advisory	2014-07-24 21:21:56 UTC

Description Keith Schincke 2014-07-14 17:00:20 UTC

Description of problem:
Glance image-create fails on a RHOS5 running on RHEL7 when glance is configured to use Ceph/rbd and Selinux is in enforcing. 

type=AVC msg=audit(1405130267.572:5587): avc:  denied  { execstack } for  pid=8320 comm="glance-api" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:system_r:glance_api_t:s0 tclass=process
type=AVC msg=audit(1405130267.572:5587): avc:  denied  { execmem } for  pid=8320 comm="glance-api" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:system_r:glance_api_t:s0 tclass=process



Version-Release number of selected component (if applicable):
# rpm -qa | egrep "glance|selinux" | sort
libselinux-2.0.94-2.el6.x86_64
libselinux-2.0.94-5.2.el6.x86_64
libselinux-python-2.0.94-2.el6.x86_64
libselinux-python-2.0.94-5.2.el6.x86_64
libselinux-utils-2.0.94-2.el6.x86_64
libselinux-utils-2.0.94-5.2.el6.x86_64
selinux-policy-3.7.19-126.el6_2.4.noarch
selinux-policy-3.7.19-54.el6.noarch
selinux-policy-targeted-3.7.19-126.el6_2.4.noarch
selinux-policy-targeted-3.7.19-54.el6.noarch

/etc/glance/glance-api.conf updates

default_store=rbd
show_image_direct_url=True
rbd_store_ceph_conf=/etc/ceph/ceph.conf
rbd_store_user=images
rbd_store_pool=images
rbd_store_chunk_size=8


How reproducible:
100% while in enforcing and using rbd

Steps to Reproduce:
1. Configure Ceph to allow connections from OSP
2. Configure OSP to create a connection to Ceph
3. Create image with glance

Actual results:


Expected results:


Additional info:

Comment 1 Keith Schincke 2014-07-14 17:07:06 UTC

Correction. Wrong list of packages were provided. 
Here is the corrected list

# rpm -qa | egrep "glance|selinux" | sort
libselinux-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
libselinux-ruby-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
openstack-glance-2014.1-4.el7ost.noarch
openstack-selinux-0.5.9-1.el7ost.noarch
python-glance-2014.1-4.el7ost.noarch
python-glanceclient-0.12.0-1.el7ost.noarch
selinux-policy-3.12.1-153.el7_0.10.noarch
selinux-policy-targeted-3.12.1-153.el7_0.10.noarch

Comment 3 Ryan Hallisey 2014-07-15 18:47:30 UTC

Can you rerun your steps in permissive and attach your audit.log please?

Comment 4 Keith Schincke 2014-07-15 18:54:02 UTC

The audit logs while running in permissive mode are included in the description.

Comment 5 Miroslav Grepl 2014-07-16 07:31:05 UTC

We probably want to add glance_use_execmem boolean.

Comment 8 Yogev Rabl 2014-07-22 12:46:04 UTC

verified on:
openstack-selinux-0.5.14-3.el7ost.noarch

Comment 9 Yogev Rabl 2014-07-23 09:11:06 UTC

Rechecked this issue after updating the OSP - and the bug still happens:

#sealert -a /var/log/audit.log
output:

found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/python2.7 from read access on the file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed read access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep glance-api /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:glance_api_t:s0
Target Context                unconfined_u:object_r:admin_home_t:s0
Target Objects                 [ file ]
Source                        glance-api
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           python-2.7.5-16.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-153.el7_0.10.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     cougar01.scl.lab.tlv.redhat.com
Platform                      Linux cougar01.scl.lab.tlv.redhat.com
                              3.10.0-123.4.2.el7.x86_64 #1 SMP Thu Jun 5
                              21:43:43 EDT 2014 x86_64 x86_64
Alert Count                   6
First Seen                    2014-07-23 11:45:25 IDT
Last Seen                     2014-07-23 11:51:06 IDT
Local ID                      766fdad8-30e6-428e-8b13-f92a1df47417

Raw Audit Messages
type=AVC msg=audit(1406105466.953:21025): avc:  denied  { read } for  pid=18077 comm="glance-api" name="ceph.conf" dev="sda5" ino=18743509 scontext=system_u:system_r:glance_api_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file


type=SYSCALL msg=audit(1406105466.953:21025): arch=x86_64 syscall=open success=no exit=EACCES a0=2c712e8 a1=0 a2=1b6 a3=0 items=0 ppid=18062 pid=18077 auid=4294967295 uid=161 gid=161 euid=161 suid=161 fsuid=161 egid=161 sgid=161 fsgid=161 tty=(none) ses=4294967295 comm=glance-api exe=/usr/bin/python2.7 subj=system_u:system_r:glance_api_t:s0 key=(null)

Hash: glance-api,glance_api_t,admin_home_t,file,read

Comment 10 Ryan Hallisey 2014-07-23 12:48:24 UTC

I think the labeling is wrong glance_api_t should not be trying to read root's home directory.  You need to run

# restorecon -R -v <path for glance_api_t> 

The path for glance_api_t will be in the audit.log.

Comment 11 Ryan Hallisey 2014-07-23 12:52:20 UTC

Sorry wrong path,

# restorecon -R -v <path for ceph.conf>

Comment 13 Keith Schincke 2014-07-23 14:33:41 UTC

The bad context on the ceph.conf file may be a local configuration issue created while testing.
I have checked the ceph.conf on my other systems and they are etc_t.

My OSP environment is being rebuilt. I will recheck it there once I get it back.

Comment 14 nlevinki 2014-07-24 09:00:51 UTC

tested on OpenStack-5.0-RHEL-7 Puddle: 2014-07-23.1
working ok

Comment 16 errata-xmlrpc 2014-07-24 17:23:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0937.html

Note You need to log in before you can comment on or make changes to this bug.