Bug 1416648 - Wrong SELinux context on panko.log
Summary: Wrong SELinux context on panko.log
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 11.0 (Ocata)
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: beta
: 11.0 (Ocata)
Assignee: Lon Hohberger
QA Contact: Udi Shkalim
URL:
Whiteboard:
Depends On:
Blocks: 1423496
TreeView+ depends on / blocked
 
Reported: 2017-01-26 08:12 UTC by Yurii Prokulevych
Modified: 2017-05-17 19:43 UTC (History)
12 users (show)

Fixed In Version: openstack-selinux-0.8.5-2.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-17 19:43:36 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:1245 normal SHIPPED_LIVE Red Hat OpenStack Platform 11.0 Bug Fix and Enhancement Advisory 2017-05-17 23:01:50 UTC
OpenStack gerrit 451457 None None None 2017-03-29 15:31:02 UTC

Description Yurii Prokulevych 2017-01-26 08:12:09 UTC
Description of problem:
-----------------------
Log file for Panko is created with wrong SELinux context:

ls -lZ /var/log/panko/
-rw-r--r--. panko panko system_u:object_r:var_log_t:s0   panko.log

Which causes service to reply with 500 code:
--------------------------------------------
[Thu Jan 26 08:05:09.423953 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] mod_wsgi (pid=496346): Target WSGI script '/var/www/cgi-bin/panko/app' cannot be loaded as Python module.
[Thu Jan 26 08:05:09.424019 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] mod_wsgi (pid=496346): Exception occurred processing WSGI script '/var/www/cgi-bin/panko/app'.
[Thu Jan 26 08:05:09.424053 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] Traceback (most recent call last):
[Thu Jan 26 08:05:09.424100 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]   File "/var/www/cgi-bin/panko/app", line 19, in <module>
[Thu Jan 26 08:05:09.424181 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]     application = app.build_wsgi_app(argv=[])
[Thu Jan 26 08:05:09.424195 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]   File "/usr/lib/python2.7/site-packages/panko/api/app.py", line 91, in build_wsgi_app
[Thu Jan 26 08:05:09.424465 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]     return load_app(service.prepare_service(argv=argv))
[Thu Jan 26 08:05:09.424479 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]   File "/usr/lib/python2.7/site-packages/panko/service.py", line 44, in prepare_service
[Thu Jan 26 08:05:09.424500 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]     log.setup(conf, 'panko')
[Thu Jan 26 08:05:09.424510 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]   File "/usr/lib/python2.7/site-packages/oslo_log/log.py", line 269, in setup
[Thu Jan 26 08:05:09.424541 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]     _setup_logging_from_conf(conf, product_name, version)
[Thu Jan 26 08:05:09.424552 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]   File "/usr/lib/python2.7/site-packages/oslo_log/log.py", line 366, in _setup_logging_from_conf
[Thu Jan 26 08:05:09.424715 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]     filelog = file_handler(logpath)
[Thu Jan 26 08:05:09.426496 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]   File "/usr/lib64/python2.7/logging/handlers.py", line 392, in __init__
[Thu Jan 26 08:05:09.426741 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]     logging.FileHandler.__init__(self, filename, mode, encoding, delay)
[Thu Jan 26 08:05:09.426777 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]   File "/usr/lib64/python2.7/logging/__init__.py", line 902, in __init__
[Thu Jan 26 08:05:09.426830 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]     StreamHandler.__init__(self, self._open())
[Thu Jan 26 08:05:09.426872 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]   File "/usr/lib64/python2.7/logging/__init__.py", line 925, in _open
[Thu Jan 26 08:05:09.426909 2017] [:error] [pid 496346] [remote 172.17.1.23:40097]     stream = open(self.baseFilename, self.mode)
[Thu Jan 26 08:05:09.427004 2017] [:error] [pid 496346] [remote 172.17.1.23:40097] IOError: [Errno 13] Permission denied: '/var/log/panko/panko.log'

Setting context to 'httpd_log_t' eliminates the issue


Version-Release number of selected component (if applicable):
-------------------------------------------------------------
openstack-selinux-0.7.13-3.el7ost.noarch

Comment 1 Yurii Prokulevych 2017-01-26 08:14:19 UTC
ausearch --file /var/log/panko/ 
----
time->Thu Jan 26 07:49:53 2017
type=SYSCALL msg=audit(1485416993.550:148556): arch=c000003e syscall=2 success=no exit=-13 a0=7f0aa000d670 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496396 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1485416993.550:148556): avc:  denied  { open } for  pid=496396 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
----
time->Thu Jan 26 07:53:32 2017
type=SYSCALL msg=audit(1485417212.682:149117): arch=c000003e syscall=2 success=no exit=-13 a0=7f0a9c003fd0 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496395 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1485417212.682:149117): avc:  denied  { open } for  pid=496395 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
----
time->Thu Jan 26 07:54:18 2017
type=SYSCALL msg=audit(1485417258.802:149230): arch=c000003e syscall=2 success=no exit=-13 a0=7f0aa1732ee0 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496396 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1485417258.802:149230): avc:  denied  { open } for  pid=496396 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
----
time->Thu Jan 26 07:54:41 2017
type=SYSCALL msg=audit(1485417281.146:149291): arch=c000003e syscall=2 success=no exit=-13 a0=7f0a9c00dd00 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496395 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1485417281.146:149291): avc:  denied  { open } for  pid=496395 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
----
time->Thu Jan 26 08:05:09 2017
type=SYSCALL msg=audit(1485417909.422:150907): arch=c000003e syscall=2 success=no exit=-13 a0=7f0aa1732ee0 a1=441 a2=1b6 a3=24 items=0 ppid=496330 pid=496396 auid=4294967295 uid=986 gid=983 euid=986 suid=986 fsuid=986 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1485417909.422:150907): avc:  denied  { open } for  pid=496396 comm="httpd" path="/var/log/panko/panko.log" dev="vda2" ino=8426312 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

Comment 4 Pradeep Kilambi 2017-02-15 15:57:05 UTC
Updated the PR and its merged now:

https://github.com/redhat-openstack/openstack-selinux/pull/7

Comment 10 Marek Aufart 2017-03-27 12:22:00 UTC
See bellow, thanks.

[root@undercloud-0 ~]# ls -lZ /var/log/panko/panko.log
-rw-r--r--. panko panko unconfined_u:object_r:var_log_t:s0 /var/log/panko/panko.log

[root@controller-0 ~]# ls -lZ /var/log/panko/panko.log
-rw-r--r--. panko panko system_u:object_r:var_log_t:s0   /var/log/panko/panko.log

Comment 12 Lon Hohberger 2017-03-29 15:29:36 UTC
OK:

logging_log_filetrans(httpd_t, httpd_log_t, file)

httpd (apache), when creating log files in var_log_t directories will get them labelled as httpd_log_t. The problem here is that the file is labelled as var_log_t, meaning httpd_t didn't create the file.

Pradeep figure out that panko.log is probably being created by puppet-panko, which would explain the problem.

Either puppet-panko needs to call restorecon, or it needs to not create the log file.

Comment 13 Pradeep Kilambi 2017-03-29 15:30:22 UTC
part of the issue seems to be that puppet-panko is explicitly creating thsi log. I fixed this in puppet so apache can force create this app.log and has the right context. We still need to fix openstack-selinux to use app.log for panko instead.

Comment 18 errata-xmlrpc 2017-05-17 19:43:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1245


Note You need to log in before you can comment on or make changes to this bug.