Bug 1475871 - OSP12: unable to run ping as non-root user: ping: socket: Operation not permitted
Summary: OSP12: unable to run ping as non-root user: ping: socket: Operation not permi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: diskimage-builder
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ga
: 12.0 (Pike)
Assignee: Ben Nemec
QA Contact: Marius Cornea
URL:
Whiteboard:
: 1484480 (view as bug list)
Depends On:
Blocks: 1335596 1401639 1356451 1394872 1484480 1542211
TreeView+ depends on / blocked
 
Reported: 2017-07-27 13:57 UTC by Marius Cornea
Modified: 2018-02-05 20:50 UTC (History)
14 users (show)

Fixed In Version: diskimage-builder-2.9.0-2.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1542211 (view as bug list)
Environment:
Last Closed: 2017-12-13 21:45:43 UTC
Target Upstream Version:


Attachments (Terms of Use)
sysctl output (78.55 KB, text/plain)
2017-07-27 13:57 UTC, Marius Cornea
no flags Details
audit.log (970.11 KB, text/plain)
2017-07-28 15:50 UTC, Marius Cornea
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:3462 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC
OpenStack gerrit 500212 None None None 2017-09-05 22:20:01 UTC
Launchpad 1714604 None None None 2017-09-05 15:35:22 UTC

Description Marius Cornea 2017-07-27 13:57:02 UTC
Created attachment 1305395 [details]
sysctl output

Description of problem:
With the rhel 7.4 overcloud images provided by the rhosp-director-images rpm a non-root user cannot use the ping command:

[heat-admin@controller-0 ~]$ ping 4.2.2.2
ping: socket: Operation not permitted

[heat-admin@controller-0 ~]$ stat /usr/bin/ping
  File: ‘/usr/bin/ping’
  Size: 66168     	Blocks: 136        IO Block: 4096   regular file
Device: fc02h/64514d	Inode: 1866893     Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: unconfined_u:object_r:ping_exec_t:s0
Access: 2017-07-27 12:10:35.932805586 +0000
Modify: 2017-05-22 08:13:45.000000000 +0000
Change: 2017-07-20 18:08:55.367770119 +0000
 Birth: -

[heat-admin@controller-0 ~]$ sudo grep denied /var/log/audit/audit.log
type=AVC msg=audit(1501157605.122:107): avc:  denied  { read } for  pid=16164 comm="grep" name="kvm.conf" dev="vda2" ino=8409462 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501157605.122:108): avc:  denied  { read } for  pid=16164 comm="grep" name="lockd.conf" dev="vda2" ino=8409458 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501157605.122:109): avc:  denied  { read } for  pid=16164 comm="grep" name="mlx4.conf" dev="vda2" ino=8409460 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501157605.122:110): avc:  denied  { read } for  pid=16164 comm="grep" name="truescale.conf" dev="vda2" ino=8409459 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501157605.122:111): avc:  denied  { read } for  pid=16164 comm="grep" name="tuned.conf" dev="vda2" ino=8409463 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501157605.122:112): avc:  denied  { read } for  pid=16164 comm="grep" name="vhost.conf" dev="vda2" ino=8409461 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501160462.303:4335): avc:  denied  { search } for  pid=229548 comm="local" name="keystone" dev="vda2" ino=13710671 scontext=system_u:system_r:postfix_local_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=dir
[heat-adm

Version-Release number of selected component (if applicable):
rhosp-director-images-12.0-20170726.1.el7ost.noarch
Linux controller-0 3.10.0-693.el7.x86_64 #1 SMP Thu Jul 6 19:56:57 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux

How reproducible:
100%

Steps to Reproduce:
1. Deploy overcloud with rhel 7.4 overcloud images 
2. SSH to one of the overcloud users as heat-admin users
3. ping an address/hostname

Actual results:
ping: socket: Operation not permitted

Expected results:
ping works

Additional info:

Comment 1 Mike Burns 2017-07-28 15:39:54 UTC
Please provide full audit.log from a permissive run.

If the host is permissive, does ping work?

Also, if you think this is selinux, why is it against rhosp-director and not openstack-selinux?

Comment 2 Alex Schultz 2017-07-28 15:45:48 UTC
It's not selinux related. Using setcap seems to fix it.  

$ sudo setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping

Comment 3 Marius Cornea 2017-07-28 15:50:22 UTC
(In reply to Mike Burns from comment #1)
> Please provide full audit.log from a permissive run.

Attaching audit.log

> If the host is permissive, does ping work?

No, ping doesn't work in permissive modes.

> Also, if you think this is selinux, why is it against rhosp-director and not
> openstack-selinux?

I'm not sure that this is selinux related since I get the same result when switching to permissive. I reported it agains rhosp-director because I'm seeing the issue on the images provided by the rhosp-director. Ping worked fine on a different rhel-7.4 machine, on the undercloud for example.

Comment 4 Marius Cornea 2017-07-28 15:50:59 UTC
Created attachment 1305987 [details]
audit.log

Comment 5 Mike Burns 2017-07-28 18:34:49 UTC
As noted by Alex, running setcap fixes this.  It appears to be any RHEL 7.4 based image.  I've been able to reproduce with OSP 11 and 10 images as well.

I checked our base images used to create the overcloud images and they have the right getcap values set on /bin/ping.  The generated overcloud-full images do not.

Another workaround for this is "yum reinstall iputils"

Comment 6 Lon Hohberger 2017-07-28 18:42:26 UTC
Also those AVCs are not related to ping.

Comment 8 Ben Nemec 2017-07-31 14:49:01 UTC
Wow, this is a blast from the past.  Previously the fix was to tell tar to maintain extended attributes on files: https://review.openstack.org/#/c/125428/

Maybe there's something new in 7.4 that needs to be kept?

Comment 9 Ben Nemec 2017-09-05 15:38:19 UTC
Ugh, sorry.  Didn't mean to clear all the other fields.

Comment 12 Ben Nemec 2017-11-02 22:59:13 UTC
This should already be fixed in OSP 12.  Moving to ON_QA.

Comment 15 Emilien Macchi 2017-12-05 17:13:46 UTC
*** Bug 1484480 has been marked as a duplicate of this bug. ***

Comment 17 Marius Cornea 2017-12-08 16:07:47 UTC
[heat-admin@controller-0 ~]$ ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.
64 bytes from 4.2.2.2: icmp_seq=1 ttl=53 time=58.7 ms

Comment 20 errata-xmlrpc 2017-12-13 21:45:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462


Note You need to log in before you can comment on or make changes to this bug.