Description of problem: ----------------------- Log file for Panko is created with wrong SELinux context: ls -lZ /var/log/panko/ -rw-r--r--. panko panko system_u:object_r:var_log_t:s0 panko.log Which causes service to reply with 500 code: -------------------------------------------- [Thu Jan 26 08:05:09.423953 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] mod_wsgi (pid=496346): Target WSGI script '/var/www/cgi-bin/panko/app' cannot be loaded as Python module. [Thu Jan 26 08:05:09.424019 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] mod_wsgi (pid=496346): Exception occurred processing WSGI script '/var/www/cgi-bin/panko/app'. [Thu Jan 26 08:05:09.424053 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] Traceback (most recent call last): [Thu Jan 26 08:05:09.424100 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] File "/var/www/cgi-bin/panko/app", line 19, in <module> [Thu Jan 26 08:05:09.424181 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] application = app.build_wsgi_app(argv=[]) [Thu Jan 26 08:05:09.424195 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] File "/usr/lib/python2.7/site-packages/panko/api/app.py", line 91, in build_wsgi_app [Thu Jan 26 08:05:09.424465 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] return load_app(service.prepare_service(argv=argv)) [Thu Jan 26 08:05:09.424479 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] File "/usr/lib/python2.7/site-packages/panko/service.py", line 44, in prepare_service [Thu Jan 26 08:05:09.424500 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] log.setup(conf, 'panko') [Thu Jan 26 08:05:09.424510 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] File "/usr/lib/python2.7/site-packages/oslo_log/log.py", line 269, in setup [Thu Jan 26 08:05:09.424541 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] _setup_logging_from_conf(conf, product_name, version) [Thu Jan 26 08:05:09.424552 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] File "/usr/lib/python2.7/site-packages/oslo_log/log.py", line 366, in _setup_logging_from_conf [Thu Jan 26 08:05:09.424715 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] filelog = file_handler(logpath) [Thu Jan 26 08:05:09.426496 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] File "/usr/lib64/python2.7/logging/handlers.py", line 392, in __init__ [Thu Jan 26 08:05:09.426741 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] logging.FileHandler.__init__(self, filename, mode, encoding, delay) [Thu Jan 26 08:05:09.426777 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] File "/usr/lib64/python2.7/logging/__init__.py", line 902, in __init__ [Thu Jan 26 08:05:09.426830 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] StreamHandler.__init__(self, self._open()) [Thu Jan 26 08:05:09.426872 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] File "/usr/lib64/python2.7/logging/__init__.py", line 925, in _open [Thu Jan 26 08:05:09.426909 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] stream = open(self.baseFilename, self.mode) [Thu Jan 26 08:05:09.427004 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] IOError: [Errno 13] Permission denied: '/var/log/panko/panko.log' Setting context to 'httpd_log_t' eliminates the issue Version-Release number of selected component (if applicable): ------------------------------------------------------------- openstack-selinux-0.7.13-3.el7ost.noarch
ausearch --file /var/log/panko/ ---- time->Thu Jan 26 07:49:53 2017 type=SYSCALL msg=audit(1485416993.550:148556): arch=c000003e syscall=2 success=no exit=-13 a0=7f0aa000d670 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496396 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1485416993.550:148556): avc: denied { open } for pid=496396 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file ---- time->Thu Jan 26 07:53:32 2017 type=SYSCALL msg=audit(1485417212.682:149117): arch=c000003e syscall=2 success=no exit=-13 a0=7f0a9c003fd0 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496395 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1485417212.682:149117): avc: denied { open } for pid=496395 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file ---- time->Thu Jan 26 07:54:18 2017 type=SYSCALL msg=audit(1485417258.802:149230): arch=c000003e syscall=2 success=no exit=-13 a0=7f0aa1732ee0 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496396 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1485417258.802:149230): avc: denied { open } for pid=496396 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file ---- time->Thu Jan 26 07:54:41 2017 type=SYSCALL msg=audit(1485417281.146:149291): arch=c000003e syscall=2 success=no exit=-13 a0=7f0a9c00dd00 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496395 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1485417281.146:149291): avc: denied { open } for pid=496395 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file ---- time->Thu Jan 26 08:05:09 2017 type=SYSCALL msg=audit(1485417909.422:150907): arch=c000003e syscall=2 success=no exit=-13 a0=7f0aa1732ee0 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496396 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1485417909.422:150907): avc: denied { open } for pid=496396 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
Updated the PR and its merged now: https://github.com/redhat-openstack/openstack-selinux/pull/7
See bellow, thanks. [root@undercloud-0 ~]# ls -lZ /var/log/panko/panko.log -rw-r--r--. panko panko unconfined_u:object_r:var_log_t:s0 /var/log/panko/panko.log [root@controller-0 ~]# ls -lZ /var/log/panko/panko.log -rw-r--r--. panko panko system_u:object_r:var_log_t:s0 /var/log/panko/panko.log
OK: logging_log_filetrans(httpd_t, httpd_log_t, file) httpd (apache), when creating log files in var_log_t directories will get them labelled as httpd_log_t. The problem here is that the file is labelled as var_log_t, meaning httpd_t didn't create the file. Pradeep figure out that panko.log is probably being created by puppet-panko, which would explain the problem. Either puppet-panko needs to call restorecon, or it needs to not create the log file.
part of the issue seems to be that puppet-panko is explicitly creating thsi log. I fixed this in puppet so apache can force create this app.log and has the right context. We still need to fix openstack-selinux to use app.log for panko instead.
https://github.com/redhat-openstack/openstack-selinux/commit/d991d2f07ce20cc910c95c7354217956f4a85482
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1245