Bug 1185444 - selinux policy updates required for rabbitmq pacemaker resource-agent
Summary: selinux policy updates required for rabbitmq pacemaker resource-agent
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 5.0 (RHEL 7)
Hardware: x86_64
OS: Linux
high
high
Target Milestone: z1
: 6.0 (Juno)
Assignee: Ryan Hallisey
QA Contact: Leonid Natapov
URL:
Whiteboard:
Depends On:
Blocks: 1168755 1177026 1184280 1185907 1185909
TreeView+ depends on / blocked
 
Reported: 2015-01-23 18:19 UTC by David Vossel
Modified: 2023-02-22 23:02 UTC (History)
21 users (show)

Fixed In Version: openstack-selinux-0.6.18-1.el7ost
Doc Type: Enhancement
Doc Text:
This update introduces the rabbitmq-cluster resource agent for managing clustered RabbitMQ instances with the Pacemaker cluster manager.
Clone Of: 1184280
: 1185907 (view as bug list)
Environment:
Last Closed: 2015-03-05 18:22:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
audit-logs (149.76 KB, text/plain)
2015-01-23 18:24 UTC, David Vossel 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0640 0 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform Bug Fix and Enhancement Advisory 2015-03-05 23:17:40 UTC

Comment 1 David Vossel 2015-01-23 18:24:48 UTC 
Created attachment 983497 [details]
audit-logs

Here's the problem. Pacemaker can't manage the rabbitmq-server instance using the new resource-agent created in rhbz#1184280

We need the selinux policy updated to allow the cluster to have permission to manage rabbitmq. I've updated the audit logs during a time period where the pacemaker managed the agent while selinux was set in permissive mode.

-- David
Comment 3 Ryan Hallisey 2015-01-23 19:47:28 UTC 
allow systemd_logind_t cluster_t:dbus send_msg;

this rule really belongs in base policy.
Comment 4 Ryan Hallisey 2015-01-23 21:34:23 UTC 
type=USER_AVC msg=audit(1422033446.927:1930): pid=593 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.159 spid=591 tpid=3187 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Comment 5 Ryan Hallisey 2015-01-23 21:36:36 UTC 
I've confirmed that this user_AVC is causing things to break.
This looks like a base policy issue what do you think Mirek?
Comment 10 Ryan Hallisey 2015-01-26 17:34:23 UTC 
I filed bugs so that it gets fixed in selinux-policy, but in the meantime I'll build into openstack-selinux.
Everything is all set to build in openstack-selinux just need pm-ack.
Comment 11 David Vossel 2015-01-26 22:41:30 UTC 
(In reply to Ryan Hallisey from comment #10)
> I filed bugs so that it gets fixed in selinux-policy, but in the meantime
> I'll build into openstack-selinux.
> Everything is all set to build in openstack-selinux just need pm-ack.

I tested the scratch build. I can confirm it fixes the issue I encountered while trying to manage rabbitmq with the new pacemaker rabbitmq-cluster resource-agent.

-- David
Comment 16 Leonid Natapov 2015-02-19 14:41:53 UTC 
Tested with openstack-selinux-0.6.21-1.el7ost.noarch
Created HA Neutron deployment with 3 controllers and 2 computes. 
No rabbitmq errors during the deployment.
rabbitmq resource agent is running.
Comment 17 Lars Kellogg-Stedman 2015-02-19 15:36:02 UTC 
We just hit this error with openstack-selinux-0.6.21-1.el7ost.noarch on RHEL 7.0, with rabbitmq-server-3.3.5-3.el7ost.noarch and resource-agents-3.9.5-26.el7_0.7.x86_64:

# audit2allow -a
allow systemd_logind_t cluster_t:dbus send_msg;

# grep 'AVC.*cluster_t' /var/log/audit/audit.log
type=USER_AVC msg=audit(1424358149.668:9594): pid=577 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.2415 spid=574 tpid=25479 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Comment 18 Leonid Natapov 2015-02-19 15:58:28 UTC 
(In reply to Lars Kellogg-Stedman from comment #17)
> We just hit this error with openstack-selinux-0.6.21-1.el7ost.noarch on RHEL
> 7.0, with rabbitmq-server-3.3.5-3.el7ost.noarch and
> resource-agents-3.9.5-26.el7_0.7.x86_64:
> 
> # audit2allow -a
> allow systemd_logind_t cluster_t:dbus send_msg;
> 
> # grep 'AVC.*cluster_t' /var/log/audit/audit.log
> type=USER_AVC msg=audit(1424358149.668:9594): pid=577 uid=81 auid=4294967295
> ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.2415
> spid=574 tpid=25479 scontext=system_u:system_r:systemd_logind_t:s0
> tcontext=system_u:system_r:cluster_t:s0 tclass=dbus 
> exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

I don't see those errors. 

I am working with resource-agents-3.9.5-40.el7.1.x86_64

You are welcome to move this bug to assign again if you think the problem still exist.
Comment 20 errata-xmlrpc 2015-03-05 18:22:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0640.html
Note You need to log in before you can comment on or make changes to this bug.