Bug 1437684 – apache unable to write out openstack service logs to the /var/log/<service> folder

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1437684 - apache unable to write out openstack service logs to the /var/log/<service> folder

Summary:	apache unable to write out openstack service logs to the /var/log/<service> f...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux (Show other bugs)
Sub Component:
Version:	12.0 (Pike)
Hardware:	Unspecified Unspecified

Priority	urgent Severity urgent
Target Milestone:	ga
Target Release:	12.0 (Pike)
Assigned To:	Lon Hohberger
QA Contact:	Udi Shkalim
Docs Contact:

URL:
Whiteboard:
Keywords:	Triaged

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-03-30 17:59 EDT by Alex Schultz
Modified:	2018-02-05 14:07 EST (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	openstack-selinux-0.8.8-0.20170804200925.ad96ed3.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-12-13 16:22:29 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:3462	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 12.0 Enhancement Advisory	2018-02-15 20:43:25 EST

Groups: None (edit)

Description Alex Schultz 2017-03-30 17:59:38 EDT

Description of problem:
when services are run under apache via wsgi, they can no longer write their logs to their /var/log/<service>/ folder.  Most recently, barbican and panko both failed when previous setup to write out /var/log/barbican/api.log and /var/log/panko/api.log. This had previously been working just fine.

Version-Release number of selected component (if applicable):
openstack-selinux-0.7.13-2.el7.noarch

http://logs.openstack.org/13/448213/1/check/gate-puppet-openstack-integration-4-scenario002-tempest-centos-7/cacc415/console.html#_2017-03-29_07_00_05_419563

2017-03-29 07:00:05.419563 | SELinux is preventing /usr/sbin/httpd from open access on the file /var/log/barbican/api.log.
2017-03-29 07:00:05.419570 | 
2017-03-29 07:00:05.419595 | *****  Plugin catchall (100. confidence) suggests   **************************
2017-03-29 07:00:05.419602 | 
2017-03-29 07:00:05.419630 | If you believe that httpd should be allowed open access on the api.log file by default.
2017-03-29 07:00:05.419646 | Then you should report this as a bug.
2017-03-29 07:00:05.419668 | You can generate a local policy module to allow this access.
2017-03-29 07:00:05.419675 | Do
2017-03-29 07:00:05.419691 | allow this access for now by executing:
2017-03-29 07:00:05.419710 | # ausearch -c 'httpd' --raw | audit2allow -M my-httpd
2017-03-29 07:00:05.419723 | # semodule -i my-httpd.pp
2017-03-29 07:00:05.419733 | 
2017-03-29 07:00:05.419740 | 
2017-03-29 07:00:05.419752 | Additional Information:
2017-03-29 07:00:05.419773 | Source Context                system_u:system_r:httpd_t:s0
2017-03-29 07:00:05.419795 | Target Context                unconfined_u:object_r:var_log_t:s0
2017-03-29 07:00:05.419817 | Target Objects                /var/log/barbican/api.log [ file ]
2017-03-29 07:00:05.419832 | Source                        httpd
2017-03-29 07:00:05.419850 | Source Path                   /usr/sbin/httpd
2017-03-29 07:00:05.419866 | Port                          <Unknown>
2017-03-29 07:00:05.419882 | Host                          <Unknown>
2017-03-29 07:00:05.419904 | Source RPM Packages           httpd-2.4.6-45.el7.centos.x86_64
2017-03-29 07:00:05.419917 | Target RPM Packages           
2017-03-29 07:00:05.419941 | Policy RPM                    selinux-policy-3.13.1-102.el7_3.15.noarch
2017-03-29 07:00:05.419956 | Selinux Enabled               True
2017-03-29 07:00:05.419972 | Policy Type                   targeted
2017-03-29 07:00:05.419988 | Enforcing Mode                Permissive
2017-03-29 07:00:05.420017 | Host Name                     centos-7-osic-cloud1-s3700-8148678
2017-03-29 07:00:05.420044 | Platform                      Linux centos-7-osic-cloud1-s3700-8148678
2017-03-29 07:00:05.457354 |                               3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3
2017-03-29 07:00:05.457427 |                               00:04:05 UTC 2017 x86_64 x86_64
2017-03-29 07:00:05.457445 | Alert Count                   1
2017-03-29 07:00:05.457851 | First Seen                    2017-03-29 06:55:03 UTC
2017-03-29 07:00:05.457882 | Last Seen                     2017-03-29 06:55:03 UTC
2017-03-29 07:00:05.457909 | Local ID                      2dd4aa6b-9dde-4c09-b6cb-07cae22b0c61
2017-03-29 07:00:05.457916 | 
2017-03-29 07:00:05.457929 | Raw Audit Messages
2017-03-29 07:00:05.458025 | type=AVC msg=audit(1490770503.768:2446): avc:  denied  { open } for  pid=16990 comm="httpd" path="/var/log/barbican/api.log" dev="vda1" ino=5772151 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
2017-03-29 07:00:05.458039 | 
2017-03-29 07:00:05.458046 | 
2017-03-29 07:00:05.458155 | type=SYSCALL msg=audit(1490770503.768:2446): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=7f324dc29da0 a1=441 a2=1b6 a3=24 items=0 ppid=16964 pid=16990 auid=4294967295 uid=491 gid=490 euid=491 suid=491 fsuid=491 egid=490 sgid=490 fsgid=490 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
2017-03-29 07:00:05.458164 | 
2017-03-29 07:00:05.458195 | Hash: httpd,httpd_t,var_log_t,file,open

Comment 1 Lon Hohberger 2017-03-31 15:04:34 EDT

These are going to come in pretty regularly as we switch to Apache.

Comment 2 Lon Hohberger 2017-08-02 11:48:05 EDT

The problem here is that the log files need to be set individually (in general) to something httpd can read / write.

Not all log files are necessarily written by Apache, so we tend to need to do this individually.

Comment 3 Lon Hohberger 2017-08-04 15:04:45 EDT

https://github.com/redhat-openstack/openstack-selinux/commit/ad96ed3d459797cc417cdbfaf1a869d4d285f50e

For now, we'll just set a boolean that gives httpd_t access to known openstack types and var_log_t when being used as the OpenStack WSGI server.

Once all OpenStack services have assigned types, we'll drop the use of var_log_t.

Comment 9 errata-xmlrpc 2017-12-13 16:22:29 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462

Note You need to log in before you can comment on or make changes to this bug.