Description of problem: Gnocchi does not work if /var/lib/gnocchi is a NFS share and selinux is in enforcing mode. Version-Release number of selected component (if applicable): osp10 How reproducible: always Steps to Reproduce: 1. prepare a nfs share according to: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Managing_Confined_Services-NFS-Configuration_Examples.html or use a similarly v4.2 capable server. 2. mount the share under /var/lib/gnocchi with the proper context: 172.16.0.1:/gnocchi /var/lib/gnocchi nfs vers=4.2,context="unconfined_u:object_r:var_lib_t:s0" 0 0 3. restart openstack-gnocchi-* openstack-ceilometer-* httpd Actual results: [root@overcloud-controller-0 ~]# openstack metric measures show cpu_util -r 67b123a9-12fb-123a-b9bf-69bfe1234ad9 | grep 300 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Internal Server Error</h1> <p>The server encountered an internal error or misconfiguration and was unable to complete your request.</p> <p>Please contact the server administrator at [no address given] to inform them of the time this error occurred, and the actions you performed just before this error.</p> <p>More information about this error may be available in the server error log.</p> </body></html> (HTTP 500) # aureport -a ... 654. 06/29/2017 06:17:21 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1173 655. 06/29/2017 06:18:59 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1280 656. 06/29/2017 06:18:59 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1281 657. 06/29/2017 06:19:02 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1295 658. 06/29/2017 06:19:02 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1294 659. 06/29/2017 06:19:57 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1344 660. 06/29/2017 06:19:57 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1345 661. 06/29/2017 06:19:57 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1346 Expected results: gnocchi should work as expected (selinux should allow the usage of the NFS share). Additional info: here the policy I used as workaround: [root@overcloud-controller-0 audit]# audit2allow -a -i /var/log/audit/audit.log #============= httpd_var_lib_t ============== #!!!! This avc is allowed in the current policy allow httpd_var_lib_t var_lib_t:filesystem associate;
Please provide the full audit.log from a run in permissive. audit2allow does not always choose the right way to handle something like this for all cases.
Created attachment 1293221 [details] audit.log
Are we sure the NFS share for gnocchi should be var_lib_t instead of http_var_lib_t? I think it would work with the mount context as httpd_var_lib_t with no policy changes.
With the context as noted, the above policy module would work assuming no other AVCs.
adding needinfo for Lon's question
(In reply to Lon Hohberger from comment #3) > Are we sure the NFS share for gnocchi should be var_lib_t instead of > http_var_lib_t? I think it would work with the mount context as > httpd_var_lib_t with no policy changes. Hi Lon, IIRC I've tried it and it didn't work because of some other component affected by the different context. Sorry if I can't be more precise as I don't have access to that environment anymore. I can try to set something up again once I am back from PTO.
*** Bug 1493275 has been marked as a duplicate of this bug. ***
https://github.com/redhat-openstack/openstack-selinux/commit/ce13ba72c9148791e32d7d54f7ffaf27c88bb76f
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0365