Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1151647

Summary: SELinux: unable to install a custom policy because no datum for type nova_provider_t
Product: Red Hat OpenStack Reporter: Richard Su <rwsu>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED WONTFIX QA Contact: nlevinki <nlevinki>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0 (RHEL 7)CC: jschluet, lhh, mgrepl, mmalik, rwsu, sasha, sclewis, yeylon
Target Milestone: z5Keywords: OtherQA, Triaged, ZStream
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-selinux-0.6.37-1.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-02 20:03:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
updated custom policy none

Description Richard Su 2014-10-10 22:10:43 UTC 
Description of problem:
Installing a custom policy containing nova_provider_t fails on RHEL7 but works on Fedora 20. 

Version-Release number of selected component (if applicable):
openstack-selinux-0.5.15-1.el7ost.noarch
selinux-policy-3.12.1-153.el7_0.11.noarch
selinux-policy-targeted-3.12.1-153.el7_0.11.noarch

How reproducible:
always

Steps to Reproduce:
1. Compile and install the attached custom policy

Actual results:
install fails

Expected results:
install succeeds

Additional info:

+ checkmodule -M -m -o /tmp/tripleo-selinux-keepalived.mod /opt/stack/selinux-policy/tripleo-selinux-keepalived.te
checkmodule:  loading policy configuration from /opt/stack/selinux-policy/tripleo-selinux-keepalived.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 17) to /tmp/tripleo-selinux-keepalived.mod
+ semodule_package -o /tmp/tripleo-selinux-keepalived.pp -m /tmp/tripleo-selinux-keepalived.mod
+ semodule -i /tmp/tripleo-selinux-keepalived.pp
libsepol.print_missing_requirements: tripleo-selinux-keepalived's global requirements were not met: type/attribute nova_conductor_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
Comment 2 Milos Malik 2014-10-13 07:59:01 UTC 
The nova_conductor_t type is defined in selinux-policy >= 3.13. Could you remove that type from tripleo-selinux-keepalived.te ?
Comment 3 Miroslav Grepl 2014-10-13 08:07:15 UTC 
How does the custom policy look?
Comment 4 Richard Su 2014-10-14 03:27:43 UTC 
After removing nova_conductor_t, the policy still failed to install. I had to remove the following for the custom policy to install.

nova_conductor_t
cinder_scheduler_t 
cinder_volume_t
cinder_api_t
Comment 5 Richard Su 2014-10-22 05:56:45 UTC 
Switching this from Red Hat Enterprise Linux selinux-policy to Red Hat Openstack openstack-selinux because nova_conductor_t is defined in the RHEL 7.1 selinux-policy, and we need this fixed for RHOS 5 / RHEL 7.0.
Comment 6 Richard Su 2014-10-22 05:58:44 UTC 
Created attachment 949258 [details]
updated custom policy
Comment 8 Lon Hohberger 2014-10-22 17:20:18 UTC 
I recommend simply doing:

optional_policy(`
    unconfined_domain(keepalived_t);
')
Comment 9 Lon Hohberger 2014-10-22 17:24:52 UTC 
whoops...

module tripleo-selinux-keepalived 1.0;

require {
    type keepalived_t;
}

optional_policy(`
        unconfined_domain(keepalived_t)
')
Comment 10 Lon Hohberger 2014-10-22 17:25:48 UTC 
Last one, I promise:

policy_module(tripleo-selinux-keepalived, 1.0.0)

gen_require(`
        type swift_t;
')

optional_policy(`
        unconfined_domain(keepalived_t)
')
Comment 13 Ryan Hallisey 2014-10-22 18:19:56 UTC 
This worked for me:

domain_read_all_domains_state(keepalived_t)
allow keepalived_t haproxy_t:process signull;
allow keepalived_t self:capability kill;

#============= rabbitmq_beam_t ==============
allow rabbitmq_beam_t rabbitmq_var_lib_t:lnk_file read;

#============= rhsmcertd_t ==============
allow rhsmcertd_t rpm_var_lib_t:dir { write add_name };
allow rhsmcertd_t rpm_var_lib_t:file create;
Comment 14 Lon Hohberger 2014-10-22 18:43:34 UTC 
That's more ideal than unconfined_domain and should avoid the type issue.

Though, the last two lines seem ... out of place/context?
Comment 20 Lon Hohberger 2015-09-02 19:58:50 UTC 
[root@rhel7 ~]# seinfo -t | grep nova_

Does not show nova_provider_t even with RHEL 7.1 and current openstack-selinux.
Comment 22 Lon Hohberger 2015-09-02 20:03:49 UTC 
The tripleo component was never shipped against RHEL OSP 5, and this is resolved on RHEL OSP 7.