Bug 1119845 - nova volume-attach fails when Selinux is enabled and using Ceph/OSD
Summary: nova volume-attach fails when Selinux is enabled and using Ceph/OSD
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 5.0 (RHEL 7)
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: 5.0 (RHEL 7)
Assignee: Ryan Hallisey
QA Contact: Yogev Rabl
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-15 15:59 UTC by Keith Schincke
Modified: 2014-09-08 05:44 UTC (History)
9 users (show)

Fixed In Version: openstack-selinux-0.5.14-3.el7ost
Doc Type: Bug Fix
Doc Text:
In the previous release, SELinux in enforcing mode blocked the attachment of block storage using 'nova volume-attach'. As a result, Compute failed to attach block storage. With this update, the svirt process in SELinux has been updated and can now write to memory with the same label; Compute's 'nova volume-attach' now succeeds without being blocked by SELinux.
Clone Of:
Environment:
Last Closed: 2014-07-24 17:23:50 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:0937 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform Bug Fix and Enhancement Advisory 2014-07-24 21:21:56 UTC

Description Keith Schincke 2014-07-15 15:59:57 UTC
Description of problem:
the nova volume-attach command returns success on the controller node but fails on the compute node when Selinux in enforcing on the compute nodes. 

Here are the audit logs from the compute node while Selinux is permissive:
type=AVC msg=audit(1405141351.574:1913): avc:  denied  { execstack } for  pid=22718 comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0:c62
,c1018 tcontext=system_u:system_r:svirt_t:s0:c62,c1018 tclass=process
type=AVC msg=audit(1405141351.574:1913): avc:  denied  { execmem } for  pid=22718 comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0:c62,c1018 tcontext=system_u:system_r:svirt_t:s0:c62,c1018 tclass=process


Version-Release number of selected component (if applicable):
OSP 5
RHEL 7

How reproducible:
100% while enforcing
0% while permissive

Steps to Reproduce:
1. Create a new volume with cinder, returns success
2. Attach volume to running image with nova, returns success and disk name (/dev/vdb)
3. Log into running image and cat /proc/partitions, no /dev/vdb is see.
4. Review audit logs for error message. 

Actual results:


Expected results:


Additional info:

Comment 2 Ryan Hallisey 2014-07-15 18:48:38 UTC
Can you duplicate your steps in permissive and attach your audit.log please?

Comment 3 Keith Schincke 2014-07-15 18:53:28 UTC
The audit logs while running in permissive mode are included in the description.

Comment 4 Ryan Hallisey 2014-07-15 19:01:16 UTC
Thanks missed that :)

Comment 5 Miroslav Grepl 2014-07-16 07:30:06 UTC
#============= svirt_t ==============

#!!!! This avc can be allowed using the boolean 'virt_use_execmem'
allow svirt_t self:process execmem;

So you want to run

# setsebool -P virt_use_execmem 1

Comment 7 Lon Hohberger 2014-07-17 14:25:42 UTC
So for now, we'll do setsebool -P virt_use_execmem 1 in %post

Comment 10 Yogev Rabl 2014-07-22 12:44:48 UTC
verified on:
openstack-nova-scheduler-2014.1.1-1.el7ost.noarch
python-nova-2014.1.1-1.el7ost.noarch
openstack-nova-conductor-2014.1.1-1.el7ost.noarch
openstack-nova-cert-2014.1.1-1.el7ost.noarch
openstack-nova-common-2014.1.1-1.el7ost.noarch
openstack-nova-compute-2014.1.1-1.el7ost.noarch
openstack-nova-api-2014.1.1-1.el7ost.noarch
openstack-nova-novncproxy-2014.1.1-1.el7ost.noarch
openstack-nova-console-2014.1.1-1.el7ost.noarch
openstack-nova-network-2014.1.1-1.el7ost.noarch
python-novaclient-2.17.0-2.el7ost.noarch
python-cinderclient-1.0.9-1.el7ost.noarch
openstack-cinder-2014.1.1-1.el7ost.noarch
python-cinder-2014.1.1-1.el7ost.noarch

Comment 12 errata-xmlrpc 2014-07-24 17:23:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0937.html


Note You need to log in before you can comment on or make changes to this bug.