Bug 1195252 - [keystone] - selinux denial
Summary: [keystone] - selinux denial
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 6.0 (Juno)
Hardware: Unspecified
OS: Unspecified
high
low
Target Milestone: z2
: 6.0 (Juno)
Assignee: Lon Hohberger
QA Contact: Mike Abrams
URL:
Whiteboard:
: 1199149 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-23 13:34 UTC by tkammer
Modified: 2022-07-09 07:18 UTC (History)
9 users (show)

Fixed In Version: openstack-selinux-0.6.23-2.el7ost
Doc Type: Known Issue
Doc Text:
A quiet dependency on a newer version of selinux-policy causes openstack-selinux 0.6.23 to fail to install modules when paired with selinux-policy packages from Red Hat Enterprise Linux 7.0 or 7.0.z. This causes Identity and other OpenStack services to receive 'AVC' denials under some circumstances, causing them to malfunction. The following workarounds allow the OpenStack services to function correctly: 1) Leave openstack-selinux at 0.6.18-2.el7ost until you are ready to update to Red Hat Enterprise Linux 7.1. At that time, a 'yum update' will resolve the issue. 2) Install the updated selinux-policy and selinux-policy-targeted packages from Red Hat Enterprise Linux 7.1 (version selinux-policy-3.13.1-23.el7 or later), then update openstack-selinux to version 0.6.23-1.el7ost.
Clone Of:
Environment:
Last Closed: 2015-04-07 15:10:30 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0789 0 normal SHIPPED_LIVE Important: openstack-packstack and openstack-puppet-modules security and bug fix update 2015-04-07 19:08:02 UTC

Comment 3 Nathan Kinder 2015-02-26 00:48:20 UTC 
Reassigning to openstack-selinux.
Comment 4 Ryan Hallisey 2015-02-26 13:00:20 UTC 
What version of openstack-selinux is installed?  This rule was allowed a while back.
Comment 5 tkammer 2015-02-26 13:36:08 UTC 
(In reply to Ryan Hallisey from comment #4)
> What version of openstack-selinux is installed?  This rule was allowed a
> while back.

openstack-selinux-0.6.23-1.el7ost.noarch
Comment 6 Lon Hohberger 2015-02-26 14:43:16 UTC 
Perhaps we should blacklist openstack-selinux-0.6.23 when testing 7.0 - does it require 7.1 stuff ?
Comment 7 Lon Hohberger 2015-02-26 15:12:54 UTC 
7.0.z + GA openstack-selinux => OK
7.0.z + A1 openstack-selinux => FAIL
7.1   + GA openstack-selinux => OK
7.1   + A1 openstack-selinux => OK
Comment 8 Lon Hohberger 2015-02-26 15:16:58 UTC 
However, I can't explain why it failed.  No rules related to keystone have changed in openstack-selinux.
Comment 9 Lon Hohberger 2015-02-26 15:47:06 UTC 
This failed because 0.6.23 was built against selinux-policy-3.13.1-23.el7. This causes loading all openstack-selinux modules to quietly fail after RPM installation when coupled with the 7.0.z selinux-policy packages.

Rebuilding the openstack-selinux package against selinux-policy-3.12.1-153.el7_0.13 resolves the issue.

So, we can rebuild it, require the newer selinux-policy, or add a release note.
Comment 10 Lon Hohberger 2015-02-26 15:50:20 UTC 
Each module has this error:

libsepol.permission_copy_callback: Module os-glance depends on permission kill in class system, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
/usr/sbin/semodule:  Failed!
Comment 13 Lon Hohberger 2015-02-26 16:15:08 UTC 
There's a quiet dependency on newer selinux-policy causes openstack-selinux 0.6.23 to fail to install modules when paired with selinux-policy packages from Red Hat Enterprise Linux 7.0 or 7.0.z

Keystone and other OpenStack services may receive 'AVC' denials, causing them to malfunction.

Several workarounds exist:

1) Leave openstack-selinux at 0.6.18-2.el7ost until you are ready to update to Red Hat Enterprise Linux 7.1.  At that time, a 'yum update' should resolve the issue.

2) Install the updated selinux-policy and selinux-policy-targeted packages from Red Hat Enterprise Linux 7.1 (version selinux-policy-3.13.1-23.el7 or later) and then update openstack-selinux to version 0.6.23-1.el7ost.
Comment 14 Lon Hohberger 2015-03-05 14:42:34 UTC 
*** Bug 1199149 has been marked as a duplicate of this bug. ***
Comment 15 Lon Hohberger 2015-03-05 15:13:14 UTC 
Subscription manager users can do:

# yum downgrade openstack-selinux-0.6.18-2.el7ost
Comment 18 Ami Jeain 2015-03-15 09:11:55 UTC 
plz work with Tal Kammer in repdpcucing as he has reported this bug
Comment 21 Mike Abrams 2015-03-22 13:14:07 UTC 
Passed on the right version (VERIFIED):

[root@RHEL7Server yum.repos.d]# rpm -qa openstack-selinux
openstack-selinux-0.6.23-1.el7ost.noarch
[root@RHEL7Server yum.repos.d]# semodule -l | grep 'os-'
os-glance	0.1	
os-keepalived	0.1	
os-keystone	0.1	
os-mysql	0.1	
os-neutron	0.1	
os-nova	0.1	
os-ovs	0.1	
os-rabbitmq	0.1	
os-rsync	0.1	
os-swift	0.1	
[root@RHEL7Server yum.repos.d]#
Comment 23 errata-xmlrpc 2015-04-07 15:10:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0789.html
Note You need to log in before you can comment on or make changes to this bug.