Bug 1280101 - rhel-osp-director: 8.0 - selinux errors on controllers.
Summary: rhel-osp-director: 8.0 - selinux errors on controllers.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: 8.0 (Liberty)
Assignee: Ryan Hallisey
QA Contact: Alexander Chuzhoy
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-10 23:01 UTC by Alexander Chuzhoy
Modified: 2016-04-07 21:11 UTC (History)
7 users (show)

Fixed In Version: openstack-selinux-0.6.45-1.el7ost
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-07 21:11:29 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
/var/log/messages (15.86 KB, application/x-gzip)
2015-11-10 23:03 UTC, Alexander Chuzhoy 		no flags Details
/var/log/audit/audit.log (86.50 KB, application/x-gzip)
2015-11-10 23:04 UTC, Alexander Chuzhoy 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:0603 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 8 Enhancement Advisory 2016-04-08 00:53:53 UTC

Description Alexander Chuzhoy 2015-11-10 23:01:38 UTC 
rhel-osp-director: 8.0 - the undercloud deployment fails due to selinux.


Environment:
instack-undercloud-2.1.3-1.el7ost.noarch
openstack-selinux-0.6.42-1.el7ost.noarch

Steps to reproduce:
Attempt to deploy the undercloud.
Bear in mind https://bugzilla.redhat.com/show_bug.cgi?id=1280083.
Make sure to enable selinux (setenforce 1) after successfully passing the issue reported in https://bugzilla.redhat.com/show_bug.cgi?id=1280083.
Re-run "openstack undercloud install"


Result:

[2015-11-10 17:45:22,720] (os-refresh-config) [INFO] Completed phase post-configure
os-refresh-config completed successfully                                           
Traceback (most recent call last):                                                 
  File "<string>", line 1, in <module>                                             
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 563, in install
    _configure_ssh_keys()                                                                       
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 541, in _configure_ssh_keys
    nova.keypairs.create('default', pubkey.read().rstrip())                                                 
  File "/usr/lib/python2.7/site-packages/novaclient/api_versions.py", line 349, in substitution             
    return method.func(obj, *args, **kwargs)                                                                
  File "/usr/lib/python2.7/site-packages/novaclient/v2/keypairs.py", line 80, in create                     
    return self._create('/%s' % self.keypair_prefix, body, 'keypair')                                       
  File "/usr/lib/python2.7/site-packages/novaclient/base.py", line 169, in _create                          
    _resp, body = self.api.client.post(url, body=body)                                                      
  File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 449, in post                           
    return self._cs_request(url, 'POST', **kwargs)                                                          
  File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 424, in _cs_request                    
    resp, body = self._time_request(url, method, **kwargs)                                                  
  File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 397, in _time_request                  
    resp, body = self.request(url, method, **kwargs)                                                        
  File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 366, in request                        
    **kwargs)                                                                                               
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request                              
    response = session.request(method=method, url=url, **kwargs)                                            
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request                        
    resp = self.send(prep, **send_kwargs)                                                                   
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send                           
    r = adapter.send(request, **kwargs)                                                                     
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 415, in send                           
    raise ConnectionError(err, request=request)                                                             
requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine("''",))                          
Command 'instack-install-undercloud' returned non-zero exit status 1                                        


Here  are the avc errors:

                                                                               
[stack@instack ~]$ sudo grep -i avc /var/log/audit/audit.log                                              
type=USER_AVC msg=audit(1447193023.694:251): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'                                                                                                                                                                                            
type=USER_AVC msg=audit(1447193023.694:252): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'                                                                                                                                                                                            
type=AVC msg=audit(1447193372.173:336): avc:  denied  { read } for  pid=25420 comm="dnsmasq" name="tftpboot" dev="sda1" ino=1572866 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir                                                                                                                                                                                                        
type=AVC msg=audit(1447193408.754:426): avc:  denied  { search } for  pid=26870 comm="neutron-server" name="httpd" dev="sda1" ino=793777 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir                                                                                                                                                                                                  
type=AVC msg=audit(1447193408.754:427): avc:  denied  { search } for  pid=26870 comm="neutron-server" name="httpd" dev="sda1" ino=793777 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir                                                                                                                                                                                                  
type=USER_AVC msg=audit(1447194387.136:673): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'                                                                                                                                                                                            
type=USER_AVC msg=audit(1447194387.136:674): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=5)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'                                                                                                                                                                                            
type=AVC msg=audit(1447194408.663:679): avc:  denied  { read } for  pid=5498 comm="dnsmasq" name="tftpboot" dev="sda1" ino=1572866 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir                                                                                                                                                                                                         
type=AVC msg=audit(1447194462.903:725): avc:  denied  { read } for  pid=6542 comm="dnsmasq" name="tftpboot" dev="sda1" ino=1572866 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir                                                                                                                                                                                                         
type=USER_AVC msg=audit(1447194502.743:748): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1447194502.750:749): avc:  denied  { read } for  pid=6771 comm="dnsmasq" name="tftpboot" dev="sda1" ino=1572866 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir
type=USER_AVC msg=audit(1447194616.439:884): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1447194676.501:915): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=6)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1447194676.501:916): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=7)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1447194753.696:970): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=8)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1447194753.696:971): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=9)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1447194838.365:1200): avc:  denied  { execmem } for  pid=27453 comm="nova-api" scontext=system_u:system_r:nova_t:s0 tcontext=system_u:system_r:nova_t:s0 tclass=process
type=USER_AVC msg=audit(1447195404.392:1376): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=10)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1447195404.392:1377): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=11)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1447195512.476:1714): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=12)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1447195512.476:1715): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=13)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1447195512.476:1716): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=14)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1447195524.746:1877): avc:  denied  { execmem } for  pid=12896 comm="nova-api" scontext=system_u:system_r:nova_t:s0 tcontext=system_u:system_r:nova_t:s0 tclass=process



Note:
running "openstack undercloud install" in selinux permissive mode - results in successful installation.
Comment 2 Alexander Chuzhoy 2015-11-10 23:03:12 UTC 
Created attachment 1092498 [details]
/var/log/messages
Comment 3 Alexander Chuzhoy 2015-11-10 23:04:24 UTC 
Created attachment 1092499 [details]
/var/log/audit/audit.log
Comment 4 Ryan Hallisey 2015-11-17 16:27:11 UTC 
I still the defualt_t issue again. This is caused because a dir is being created in the '/' directory that does not have the correct label.  'default_t' is assigned to a directory in '/' that hasn't had it's label restored or assigned.  The fix for this is after you create '/<my_dir' run $ restorecon -Rv /<my_dir> .

type=AVC msg=audit(1447195524.746:1877): avc:  denied  { execmem } for  pid=12896 comm="nova-api" scontext=system_u:system_r:nova_t:s0 tcontext=system_u:system_r:nova_t:s0 tclass=process

This AVC is problematic.  The type nova_t only exists on rhel7.
Comment 5 Ryan Hallisey 2015-11-18 15:49:47 UTC 
Added in some optional policy for nova_t. Hopefully this should solve the issue or at least reveal what else could be causing the issue.
Comment 8 Alexander Chuzhoy 2016-01-07 16:32:27 UTC 
Verified:

Environment:
openstack-selinux-0.6.48-1.el7ost.noarch


With the new subject in mind , verified that there are no avc messages on controllers in /var/log/audit/audit.log.
Comment 10 errata-xmlrpc 2016-04-07 21:11:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0603.html
Note You need to log in before you can comment on or make changes to this bug.