Bug 1466444 - selinux prevents NFS share from being used as gnocchi backend [NEEDINFO]
selinux prevents NFS share from being used as gnocchi backend
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux (Show other bugs)
10.0 (Newton)
All Linux
high Severity high
: z7
: 10.0 (Newton)
Assigned To: Lon Hohberger
Aharon Canan
: Rebase, Triaged, ZStream
: 1493275 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-29 11:40 EDT by Luca Miccini
Modified: 2018-02-27 11:43 EST (History)
10 users (show)

See Also:
Fixed In Version: openstack-selinux-0.8.11-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-02-27 11:43:33 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mlopes: needinfo? (slinaber)


Attachments (Terms of Use)
audit.log (356.68 KB, application/x-gzip)
2017-06-30 09:11 EDT, Luca Miccini
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0365 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 Bug Fix and Enhancement Advisory 2018-02-27 16:42:55 EST

  None (edit)
Description Luca Miccini 2017-06-29 11:40:04 EDT
Description of problem:

Gnocchi does not work if /var/lib/gnocchi is a NFS share and selinux is in enforcing mode.

Version-Release number of selected component (if applicable):

osp10

How reproducible:

always

Steps to Reproduce:
1. prepare a nfs share according to:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Managing_Confined_Services-NFS-Configuration_Examples.html

or use a similarly v4.2 capable server.

2. mount the share under /var/lib/gnocchi with the proper context:

172.16.0.1:/gnocchi 	/var/lib/gnocchi	nfs	vers=4.2,context="unconfined_u:object_r:var_lib_t:s0"	0 0

3. restart openstack-gnocchi-* openstack-ceilometer-* httpd

Actual results:

[root@overcloud-controller-0 ~]# openstack metric measures show cpu_util -r 67b123a9-12fb-123a-b9bf-69bfe1234ad9  | grep 300
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at
 [no address given] to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>
 (HTTP 500)


# aureport -a
...
654. 06/29/2017 06:17:21 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1173
655. 06/29/2017 06:18:59 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1280
656. 06/29/2017 06:18:59 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1281
657. 06/29/2017 06:19:02 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1295
658. 06/29/2017 06:19:02 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1294
659. 06/29/2017 06:19:57 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1344
660. 06/29/2017 06:19:57 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1345
661. 06/29/2017 06:19:57 httpd system_u:object_r:httpd_var_lib_t:s0 2 filesystem associate unconfined_u:object_r:var_lib_t:s0 denied 1346


Expected results:

gnocchi should work as expected (selinux should allow the usage of the NFS share).


Additional info:

here the policy I used as workaround:

[root@overcloud-controller-0 audit]# audit2allow -a -i /var/log/audit/audit.log


#============= httpd_var_lib_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_var_lib_t var_lib_t:filesystem associate;
Comment 1 Mike Burns 2017-06-30 08:41:51 EDT
Please provide the full audit.log from a run in permissive.  audit2allow does not always choose the right way to handle something like this for all cases.
Comment 2 Luca Miccini 2017-06-30 09:11 EDT
Created attachment 1293221 [details]
audit.log
Comment 3 Lon Hohberger 2017-07-12 12:16:31 EDT
Are we sure the NFS share for gnocchi should be var_lib_t instead of http_var_lib_t? I think it would work with the mount context as httpd_var_lib_t with no policy changes.
Comment 4 Lon Hohberger 2017-07-12 12:23:40 EDT
With the context as noted, the above policy module would work assuming no other AVCs.
Comment 5 Mike Burns 2017-08-04 08:22:44 EDT
adding needinfo for Lon's question
Comment 6 Luca Miccini 2017-08-08 03:57:23 EDT
(In reply to Lon Hohberger from comment #3)
> Are we sure the NFS share for gnocchi should be var_lib_t instead of
> http_var_lib_t? I think it would work with the mount context as
> httpd_var_lib_t with no policy changes.

Hi Lon,

IIRC I've tried it and it didn't work because of some other component affected by the different context. Sorry if I can't be more precise as I don't have access to that environment anymore. I can try to set something up again once I am back from PTO.
Comment 7 Ian Pilcher 2017-09-20 11:20:25 EDT
*** Bug 1493275 has been marked as a duplicate of this bug. ***
Comment 15 errata-xmlrpc 2018-02-27 11:43:33 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0365

Note You need to log in before you can comment on or make changes to this bug.