Bug 1325623 - SELinux is preventing httpd from open access on the file /var/log/cinder/cinder-api.log
Summary: SELinux is preventing httpd from open access on the file /var/log/cinder/cind...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 9.0 (Mitaka)
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ga
: 9.0 (Mitaka)
Assignee: Ryan Hallisey
QA Contact: Udi Shkalim
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-10 03:12 UTC by Emilien Macchi
Modified: 2016-08-17 00:39 UTC (History)
7 users (show)

Fixed In Version: openstack-selinux-0.7.2-1.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, running the Block Storage API in WSGI with Apache and SELinux in the 'enforce' mode resulted in an AVC, as SELinux prevented the '/usr/sbin/httpd' from access to the '/var/log/cinder/cinder-api.log' file. With this update, 'httpd' is allowed access to the Block Storage API log file. As a result, the Block Storage API in WSGI runs without AVCs.
Clone Of:
Environment:
Last Closed: 2016-08-11 12:15:59 UTC
Target Upstream Version:

Attachments (Terms of Use)
Fix httpd write in cinder log directory (559 bytes, patch)
2016-04-12 00:03 UTC, hguemar 		no flags Details | Diff
Fix httpd write in cinder log directory (568 bytes, patch)
2016-04-12 00:25 UTC, hguemar 		no flags Details | Diff
Show Obsolete (1) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:1597 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 9 Release Candidate Advisory 2016-08-11 16:06:52 UTC

Description Emilien Macchi 2016-04-10 03:12:39 UTC 
When running Cinder API in WSGI with Apache and SElinux enforce, we have an AVC:

SELinux is preventing /usr/sbin/httpd from open access on the file /var/log/cinder/cinder-api.log.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that httpd should be allowed open access on the cinder-api.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:cinder_log_t:s0
Target Objects                /var/log/cinder/cinder-api.log [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           httpd-2.4.6-40.el7.centos.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-60.el7_2.3.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     jenkins
Platform                      Linux jenkins 3.10.0-327.4.5.el7.x86_64 #1 SMP Mon
                              Jan 25 22:07:14 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-04-10 03:10:14 UTC
Last Seen                     2016-04-10 03:10:14 UTC
Local ID                      b2e89cf7-071d-4fbf-9a04-f9d0443a70da

Raw Audit Messages
type=AVC msg=audit(1460257814.82:8553): avc:  denied  { open } for  pid=14325 comm="httpd" path="/var/log/cinder/cinder-api.log" dev="vda1" ino=318834799 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:cinder_log_t:s0 tclass=file


type=SYSCALL msg=audit(1460257814.82:8553): arch=x86_64 syscall=open success=no exit=EACCES a0=7ff334004ee0 a1=441 a2=1b6 a3=24 items=0 ppid=14308 pid=14325 auid=4294967295 uid=165 gid=165 euid=165 suid=165 fsuid=165 egid=165 sgid=165 fsgid=165 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,cinder_log_t,file,open
Comment 1 Ryan Hallisey 2016-04-10 14:21:12 UTC 
Just need acks and I'll build openstack-selinux-0.6.59
Comment 2 Emilien Macchi 2016-04-11 23:50:04 UTC 
I still have an AVC with 0.6.59:

type=AVC msg=audit(1460418573.405:3254): avc:  denied  { write } for  pid=2191 comm="httpd" name="cinder" dev="vda1" ino=117531620 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1460418573.405:3254): arch=c000003e syscall=2 success=no exit=-13 a0=7f814a5f8530 a1=441 a2=1b6 a3=24 items=0 ppid=2176 pid=2191 auid=4294967295 uid=165 gid=165 euid=165 suid=165 fsuid=165 egid=165 sgid=165 fsgid=165 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
Comment 3 Emilien Macchi 2016-04-11 23:52:10 UTC 
SELinux is preventing /usr/sbin/httpd from write access on the directory cinder.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that httpd should be allowed write access on the cinder directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:cinder_log_t:s0
Target Objects                cinder [ dir ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           httpd-2.4.6-40.el7.centos.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-60.el7_2.3.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     jenkins
Platform                      Linux jenkins 3.10.0-327.4.5.el7.x86_64 #1 SMP Mon
                              Jan 25 22:07:14 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-04-11 23:50:46 UTC
Last Seen                     2016-04-11 23:50:46 UTC
Local ID                      c6a6dc1b-96d6-4162-b2eb-4c53ea713210

Raw Audit Messages
type=AVC msg=audit(1460418646.779:3276): avc:  denied  { write } for  pid=2209 comm="httpd" name="cinder" dev="vda1" ino=117531620 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cinder_log_t:s0 tclass=dir


type=SYSCALL msg=audit(1460418646.779:3276): arch=x86_64 syscall=open success=no exit=EACCES a0=7f81380113c0 a1=441 a2=1b6 a3=24 items=0 ppid=2176 pid=2209 auid=4294967295 uid=165 gid=165 euid=165 suid=165 fsuid=165 egid=165 sgid=165 fsgid=165 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,cinder_log_t,dir,write
Comment 4 hguemar 2016-04-12 00:03:22 UTC 
Created attachment 1146169 [details]
Fix httpd write in cinder log directory

Should fix the last issue
Comment 5 hguemar 2016-04-12 00:25:21 UTC 
Created attachment 1146172 [details]
Fix httpd write in cinder log directory

Update patch
Comment 8 Emilien Macchi 2016-05-31 16:02:57 UTC 
The fix works fine, Puppet OpenStack CI is current gating on this package to deploy Cinder in WSGI app with apache:
https://github.com/openstack/puppet-openstack-integration/blob/master/manifests/cinder.pp#L69
Comment 9 Udi Shkalim 2016-05-31 16:05:33 UTC 
Based on comment 8 - verified.
openstack-selinux-0.7.3-3.el7ost.noarch
Comment 11 errata-xmlrpc 2016-08-11 12:15:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-1597.html
Note You need to log in before you can comment on or make changes to this bug.