1233063 – rhel-osp-director: overcloud runs with selinux in permissive mode

Bug 1233063 - rhel-osp-director: overcloud runs with selinux in permissive mode

Summary: rhel-osp-director: overcloud runs with selinux in permissive mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-rdomanager-oscplugin
Sub Component:
Version:	Director
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ga
Target Release:	Director
Assignee:	James Slagle
QA Contact:	Ofer Blaut
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-06-18 07:25 UTC by Ofer Blaut
Modified:	2015-08-05 13:54 UTC (History)
CC List:	7 users (show)
Fixed In Version:	python-rdomanager-oscplugin-0.0.8-14.el7ost instack-undercloud-2.1.2-7.el7ost
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-05 13:54:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Gerrithub.io	237539	None	None	None	Never
Gerrithub.io	237540	None	None	None	Never
Red Hat Product Errata	RHEA-2015:1549	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform director Release	2015-08-05 17:49:10 UTC

Description Ofer Blaut 2015-06-18 07:25:31 UTC

Description of problem:

 selinux is running in permissive mode in over cloud 

[stack@puma33 ~]$ nova list
+--------------------------------------+------------------------+--------+------------+-------------+---------------------+
| ID                                   | Name                   | Status | Task State | Power State | Networks            |
+--------------------------------------+------------------------+--------+------------+-------------+---------------------+
| c938355a-bace-47b8-ab65-45d930ca7501 | overcloud-compute-0    | ACTIVE | -          | Running     | ctlplane=192.0.2.15 |
| 9767ba09-739b-41a2-95a0-9248d0d77ced | overcloud-controller-0 | ACTIVE | -          | Running     | ctlplane=192.0.2.17 |
| fd51d043-6c6c-4c1f-a089-037025ec7cfa | overcloud-controller-1 | ACTIVE | -          | Running     | ctlplane=192.0.2.16 |
| db7a5c5a-9990-4f9a-a472-919a3a284e31 | overcloud-controller-2 | ACTIVE | -          | Running     | ctlplane=192.0.2.18 |
+--------------------------------------+------------------------+--------+------------+-------------+---------------------+
[stack@puma33 ~]$ ssh heat-admin.2.15
Last login: Thu Jun 18 02:26:29 2015 from 192.0.2.1
[heat-admin@overcloud-compute-0 ~]$ sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[heat-admin@overcloud-compute-0 ~]$ exit
logout
Connection to 192.0.2.15 closed.
[stack@puma33 ~]$ ssh heat-admin.2.16
Last login: Thu Jun 18 02:58:37 2015 from 192.0.2.1
[heat-admin@overcloud-controller-1 ~]$ sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[heat-admin@overcloud-controller-1 ~]$ 




Version-Release number of selected component (if applicable):

instack-undercloud-2.1.2-1.el7ost.noarch


How reproducible:


Steps to Reproduce:
1. login to overcloud hosts (controllers and computes)
2. check selinux status 
3.

Actual results:


Expected results:


Additional info:

Comment 2 Mike Burns 2015-06-18 09:38:40 UTC

changing summary -- it's not dependent on HA vs non-HA

Comment 3 James Slagle 2015-06-19 17:12:19 UTC

fix in both instack-build-images and unified cli

Comment 4 James Slagle 2015-06-24 21:16:53 UTC

i've manually tested with the images from http://rhos-release.virt.bos.redhat.com/mburns/2015-06-24.1/images/

I edited overcloud-full.qcow2 and set selinux=enforcing and was able to deploy an Overcloud.

python-rdomanager-oscplugin patch: https://review.gerrithub.io/237539
instack-undercloud patch: https://review.gerrithub.io/237540

Comment 6 Omri Hochman 2015-07-02 21:29:14 UTC

Verified : 
python-rdomanager-oscplugin-0.0.8-18.el7ost.noarch, 
instack-undercloud-2.1.2-11.el7ost.noarch

Comment 8 errata-xmlrpc 2015-08-05 13:54:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1549

Note You need to log in before you can comment on or make changes to this bug.