Bug 1250906 - [director] Documentation for configuring undercloud.conf with SELinux is incorrect
[director] Documentation for configuring undercloud.conf with SELinux is inco...
Status: CLOSED DUPLICATE of bug 1242660
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation (Show other bugs)
7.0 (Kilo)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: Director
Assigned To: RHOS Documentation Team
RHOS Documentation Team
: Documentation
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-06 05:30 EDT by Dariusz Smigiel
Modified: 2015-08-06 07:30 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-06 07:30:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dariusz Smigiel 2015-08-06 05:30:07 EDT
Following documentation for OSP7, in section "Configuring The Director" under "undercloud_service_certificate" there is command to be run:
`sudo semanage fcontext haproxy_t /etc/pki/instack-certs/*`

Running it, receives an error:
`
[stack@gklab-17-081 ~]$ sudo semanage fcontext haproxy_t /etc/pki/instack-certs/*                                                                                                                                                                                        
usage: semanage [-h]
                
                {import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit}
                ...
semanage: error: unrecognized arguments: /etc/pki/instack-certs/undercloud.pem
`

Even when I've tried to add params to semanage, it still doesn't work.
`
[stack@gklab-17-081 ~]$ sudo semanage fcontext -a -t haproxy_t /etc/pki/instack-certs/*                                                
ValueError: Type haproxy_t is invalid, must be a file or device type
`

Link to documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/7/html/Director_Installation_and_Usage/sect-Configuring_the_Director.html
Comment 3 Dariusz Smigiel 2015-08-06 05:46:02 EDT
There are other haproxy types:
[stack@gklab-17-081 ~]$ sudo semanage fcontext -l |grep haproxy
/usr/lib/systemd/system/haproxy.*                  regular file       system_u:object_r:haproxy_unit_file_t:s0 
/usr/sbin/haproxy                                  regular file       system_u:object_r:haproxy_exec_t:s0 
/usr/sbin/haproxy-systemd-wrapper                  regular file       system_u:object_r:haproxy_exec_t:s0 
/var/lib/haproxy(/.*)?                             all files          system_u:object_r:haproxy_var_lib_t:s0 
/var/run/haproxy\.pid                              regular file       system_u:object_r:haproxy_var_run_t:s0 
/var/run/haproxy\.sock.*                           regular file       system_u:object_r:haproxy_var_run_t:s0 
/var/run/haproxy\.stat.*                           regular file       system_u:object_r:haproxy_var_run_t:s0
Comment 4 Dariusz Smigiel 2015-08-06 05:52:48 EDT
Solution:
https://www.mankier.com/8/haproxy_selinux#Entrypoints

"The haproxy_t SELinux type can be entered via the haproxy_exec_t file type."
Comment 5 Dariusz Smigiel 2015-08-06 05:53:18 EDT
[root@gklab-17-081 selinux]# semanage fcontext haproxy_exec_t /etc/pki/instack-certs/*
usage: semanage [-h]
                
                {import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit}
                ...
semanage: error: unrecognized arguments: /etc/pki/instack-certs/undercloud.pem
[root@gklab-17-081 selinux]# semanage fcontext -a -t haproxy_exec_t /etc/pki/instack-certs/*
Comment 6 Mike Burns 2015-08-06 07:17:47 EDT
We found that etc_t would also work
Comment 7 Mike Burns 2015-08-06 07:30:48 EDT
This is actually a duplicate of bug 1242660.  Closing this and copying comments over

*** This bug has been marked as a duplicate of bug 1242660 ***

Note You need to log in before you can comment on or make changes to this bug.