Bug 1281547 - rhel-osp-director: 8.0 - fail to deploy HA overcloud. Several puppet errors in the log, also several selinux AVC messages.
rhel-osp-director: 8.0 - fail to deploy HA overcloud. Several puppet errors i...
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux (Show other bugs)
8.0 (Liberty)
x86_64 Unspecified
high Severity high
: beta
: 8.0 (Liberty)
Assigned To: Ryan Hallisey
yeylon@redhat.com
Alexander Chuzhoy
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-12 13:17 EST by Alexander Chuzhoy
Modified: 2016-04-18 03:14 EDT (History)
10 users (show)

See Also:
Fixed In Version: openstack-selinux-0.6.44-1.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, httpd was not allowed to search through directories having the "nova_t" label. Consequently, nova-novncproxy failed to deploy an HA overcloud. This update allows httpd to search through such directories, which enables nova-novncproxy to run successfully.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-07 17:12:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log/messages and /var/log/audit/audit.log from a controller (180.04 KB, application/x-gzip)
2015-11-12 13:19 EST, Alexander Chuzhoy
no flags Details

  None (edit)
Description Alexander Chuzhoy 2015-11-12 13:17:31 EST
rhel-osp-director: 8.0 - fail to deploy HA overcloud. Several puppet errors in the log,  also several selinux AVC messages.


Environment:
instack-undercloud-2.1.3-1.el7ost.noarch

Steps to reproduce:
Attempt to deploy a basic HA overcloud with no network isolation.



Result:
The deployment fails.
resources.ControllerOvercloudServicesDeployment_Step4: resources.ControllerNodesPostDeployment.Error: resources[2]: Deployment to server failed: deploy_status_code: Deployment exited with non-zero status code: 6

Checking a controller I see several errors in the messages file and some avc reports in audit.log
type=AVC msg=audit(1447350156.569:90): avc:  denied  { read } for  pid=578 comm="NetworkManager" name="dhclient-br-ex.pid" dev="tmpfs" ino=32089 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1447350156.596:91): avc:  denied  { read } for  pid=10363 comm="dhclient" name="dhclient-br-ex.pid" dev="tmpfs" ino=32089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1447350156.596:92): avc:  denied  { write } for  pid=10363 comm="dhclient" name="dhclient-br-ex.pid" dev="tmpfs" ino=32089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1447350156.622:93): avc:  denied  { write } for  pid=10363 comm="dhclient" name="dhclient-br-ex.pid" dev="tmpfs" ino=32089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1447350156.670:94): avc:  denied  { write } for  pid=10363 comm="dhclient" name="dhclient-br-ex.pid" dev="tmpfs" ino=32089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1447350507.817:103): avc:  denied  { execute } for  pid=27439 comm="redis-sentinel" name="redis-notifications.sh" dev="sda2" ino=8412437 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1447350733.646:137): avc:  denied  { execute } for  pid=3455 comm="redis-sentinel" name="redis-notifications.sh" dev="sda2" ino=8412437 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1447350784.906:220): avc:  denied  { search } for  pid=4785 comm="neutron-server" name="httpd" dev="sda2" ino=8398827 scontext=system_u:system_r:neutron_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=dir
type=AVC msg=audit(1447350784.906:221): avc:  denied  { search } for  pid=4785 comm="neutron-server" name="httpd" dev="sda2" ino=8398827 scontext=system_u:system_r:neutron_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=dir
type=AVC msg=audit(1447350863.972:256): avc:  denied  { search } for  pid=5894 comm="nova-novncproxy" name="httpd" dev="sda2" ino=8398827 scontext=system_u:system_r:nova_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=dir
type=AVC msg=audit(1447350863.972:257): avc:  denied  { search } for  pid=5894 comm="nova-novncproxy" name="httpd" dev="sda2" ino=8398827 scontext=system_u:system_r:nova_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=dir
type=AVC msg=audit(1447351493.184:434): avc:  denied  { execute } for  pid=11044 comm="redis-sentinel" name="redis-notifications.sh" dev="sda2" ino=8412437 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file


Note: Was able to complete nonHA deployment successfully.



Expected result:
Successful HA overcloud deployment.
Comment 2 Alexander Chuzhoy 2015-11-12 13:19 EST
Created attachment 1093418 [details]
/var/log/messages and /var/log/audit/audit.log from a controller
Comment 3 Alexander Chuzhoy 2015-11-12 13:21:51 EST
Environment:
openstack-selinux-0.6.42-2.el7ost.noarch
Comment 4 Ryan Hallisey 2015-11-18 08:21:14 EST
Another nova_t rule. This rule is likely the culprit. To fix this AVC is very tricky because nova_t type doesn't exist on rhel 7, but in rhel 7.1 and 7.2 .  I can't find a transition so optional policy should work.

type=AVC msg=audit(1447350863.972:257): avc:  denied  { search } for  pid=5894 comm="nova-novncproxy" name="httpd" dev="sda2" ino=8398827 scontext=system_u:system_r:nova_t:s0
Comment 8 Alexander Chuzhoy 2016-01-07 12:24:02 EST
Verified.
Environment:
openstack-selinux-0.6.48-1.el7ost.noarch

Successfully deployed HA overcloud without network isolation.
Comment 9 errata-xmlrpc 2016-04-07 17:12:00 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0603.html

Note You need to log in before you can comment on or make changes to this bug.