Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1155287

Summary: SELinux: openssl cannot access /run/keystone
Product: Red Hat OpenStack Reporter: Richard Su <rwsu>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED WORKSFORME QA Contact: Ami Jeain <ajeain>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.0 (RHEL 7)CC: lhh, mgrepl, yeylon
Target Milestone: ---Keywords: ZStream
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-12 23:05:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log none

Description Richard Su 2014-10-21 20:00:43 UTC 
Created attachment 949098 [details]
audit.log

Description of problem:
openssl via keystone is unable to write to /run/keystone. /run/keystone is labeled as var_run_t. 

This issue has been fixed on RHEL 7.1 (bz 1144158) but we also need a fix for next RHOS release.

type=AVC msg=audit(1411007901.216:3108): avc:  denied  { setattr } for  pid=31407 comm="openssl" name=".rnd" dev="tmpfs" ino=76799 scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1411008208.218:4024): avc:  denied  { getattr } for  pid=32069 comm="openssl" path="/run/keystone/.rnd" dev="tmpfs" ino=76799 scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1411008208.219:4025): avc:  denied  { read } for  pid=32069 comm="openssl" name=".rnd" dev="tmpfs" ino=76799 scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1411008208.219:4025): avc:  denied  { open } for  pid=32069 comm="openssl" path="/run/keystone/.rnd" dev="tmpfs" ino=76799 scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1411008208.223:4026): avc:  denied  { write } for  pid=32069 comm="openssl" name=".rnd" dev="tmpfs" ino=76799 scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1411008208.223:4027): avc:  denied  { setattr } for  pid=32069 comm="openssl" name=".rnd" dev="tmpfs" ino=76799 scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file

[root@localhost audit]# find / -inum 76799
/run/keystone/.rnd

[root@localhost audit]# ls -Z /run/keystone/.rnd
-rw-------. keystone keystone system_u:object_r:var_run_t:s0   /run/keystone/.rnd

Changing the label to keystone_var_lib_t appears to fix the problem.

[root@localhost audit]# ls -Z /run | grep keystone
drwxr-xr-x. keystone   keystone   unconfined_u:object_r:keystone_var_lib_t:s0 keystone

But I think we need a proper default label for /run/keystone similar to what was done in Fedora in BZ 1123013.


Version-Release number of selected component (if applicable):
openstack-selinux-0.5.15-1.el7ost.noarch
selinux-policy-3.12.1-153.el7_0.10.noarch
selinux-policy-targeted-3.12.1-153.el7_0.10.noarch

How reproducible:
always

Steps to Reproduce:
1. Install instack-undercloud via source.

Actual results:
openssl denials logged.

Expected results:
No denials are logged.

Additional info:
Comment 2 Ryan Hallisey 2014-11-17 22:11:49 UTC 
/run/keystone/.rnd needs to be labelled keystone_var_run_t

# restorecon -R -v /run/keystone/.rnd

However the file is created, you need to run a restorecon on it once it has been added to /run/keystone.
Comment 3 Miroslav Grepl 2014-11-21 14:31:10 UTC 
It looks keystone was executed by hand? Are we able to reproduce it?
Comment 4 Richard Su 2014-12-12 23:05:49 UTC 
This bug doesn't appear with openstack-selinux-0.6.4-1.el7ost.noarch. Closing.