Bug 1195252 – [keystone] - selinux denial

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1195252 - [keystone] - selinux denial

Summary:	[keystone] - selinux denial

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux (Show other bugs)
Sub Component:
Version:	6.0 (Juno)
Hardware:	Unspecified Unspecified

Priority	high Severity low
Target Milestone:	z2
Target Release:	6.0 (Juno)
Assigned To:	Lon Hohberger
QA Contact:	Mike Abrams
Docs Contact:

URL:
Whiteboard:
Keywords:	ZStream

Duplicates:	1199149 (view as bug list)
Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2015-02-23 08:34 EST by tkammer
Modified:	2016-04-26 16:59 EDT (History)
CC List:	9 users (show)

See Also:
Fixed In Version:	openstack-selinux-0.6.23-2.el7ost
Doc Type:	Known Issue
Doc Text:	A quiet dependency on a newer version of selinux-policy causes openstack-selinux 0.6.23 to fail to install modules when paired with selinux-policy packages from Red Hat Enterprise Linux 7.0 or 7.0.z. This causes Identity and other OpenStack services to receive 'AVC' denials under some circumstances, causing them to malfunction. The following workarounds allow the OpenStack services to function correctly: 1) Leave openstack-selinux at 0.6.18-2.el7ost until you are ready to update to Red Hat Enterprise Linux 7.1. At that time, a 'yum update' will resolve the issue. 2) Install the updated selinux-policy and selinux-policy-targeted packages from Red Hat Enterprise Linux 7.1 (version selinux-policy-3.13.1-23.el7 or later), then update openstack-selinux to version 0.6.23-1.el7ost.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-04-07 11:10:30 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0789	normal	SHIPPED_LIVE	Important: openstack-packstack and openstack-puppet-modules security and bug fix update	2015-04-07 15:08:02 EDT

Groups: None (edit)

Comment 3 Nathan Kinder 2015-02-25 19:48:20 EST

Reassigning to openstack-selinux.

Comment 4 Ryan Hallisey 2015-02-26 08:00:20 EST

What version of openstack-selinux is installed?  This rule was allowed a while back.

Comment 5 tkammer 2015-02-26 08:36:08 EST

(In reply to Ryan Hallisey from comment #4)
> What version of openstack-selinux is installed?  This rule was allowed a
> while back.

openstack-selinux-0.6.23-1.el7ost.noarch

Comment 6 Lon Hohberger 2015-02-26 09:43:16 EST

Perhaps we should blacklist openstack-selinux-0.6.23 when testing 7.0 - does it require 7.1 stuff ?

Comment 7 Lon Hohberger 2015-02-26 10:12:54 EST

7.0.z + GA openstack-selinux => OK
7.0.z + A1 openstack-selinux => FAIL
7.1   + GA openstack-selinux => OK
7.1   + A1 openstack-selinux => OK

Comment 8 Lon Hohberger 2015-02-26 10:16:58 EST

However, I can't explain why it failed.  No rules related to keystone have changed in openstack-selinux.

Comment 9 Lon Hohberger 2015-02-26 10:47:06 EST

This failed because 0.6.23 was built against selinux-policy-3.13.1-23.el7. This causes loading all openstack-selinux modules to quietly fail after RPM installation when coupled with the 7.0.z selinux-policy packages.

Rebuilding the openstack-selinux package against selinux-policy-3.12.1-153.el7_0.13 resolves the issue.

So, we can rebuild it, require the newer selinux-policy, or add a release note.

Comment 10 Lon Hohberger 2015-02-26 10:50:20 EST

Each module has this error:

libsepol.permission_copy_callback: Module os-glance depends on permission kill in class system, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
/usr/sbin/semodule:  Failed!

Comment 13 Lon Hohberger 2015-02-26 11:15:08 EST

There's a quiet dependency on newer selinux-policy causes openstack-selinux 0.6.23 to fail to install modules when paired with selinux-policy packages from Red Hat Enterprise Linux 7.0 or 7.0.z

Keystone and other OpenStack services may receive 'AVC' denials, causing them to malfunction.

Several workarounds exist:

1) Leave openstack-selinux at 0.6.18-2.el7ost until you are ready to update to Red Hat Enterprise Linux 7.1.  At that time, a 'yum update' should resolve the issue.

2) Install the updated selinux-policy and selinux-policy-targeted packages from Red Hat Enterprise Linux 7.1 (version selinux-policy-3.13.1-23.el7 or later) and then update openstack-selinux to version 0.6.23-1.el7ost.

Comment 14 Lon Hohberger 2015-03-05 09:42:34 EST

*** Bug 1199149 has been marked as a duplicate of this bug. ***

Comment 15 Lon Hohberger 2015-03-05 10:13:14 EST

Subscription manager users can do:

# yum downgrade openstack-selinux-0.6.18-2.el7ost

Comment 18 Ami Jeain 2015-03-15 05:11:55 EDT

plz work with Tal Kammer in repdpcucing as he has reported this bug

Comment 21 Mike Abrams 2015-03-22 09:14:07 EDT

Passed on the right version (VERIFIED):

[root@RHEL7Server yum.repos.d]# rpm -qa openstack-selinux
openstack-selinux-0.6.23-1.el7ost.noarch
[root@RHEL7Server yum.repos.d]# semodule -l | grep 'os-'
os-glance	0.1	
os-keepalived	0.1	
os-keystone	0.1	
os-mysql	0.1	
os-neutron	0.1	
os-nova	0.1	
os-ovs	0.1	
os-rabbitmq	0.1	
os-rsync	0.1	
os-swift	0.1	
[root@RHEL7Server yum.repos.d]#

Comment 23 errata-xmlrpc 2015-04-07 11:10:30 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0789.html

Note You need to log in before you can comment on or make changes to this bug.