1475871 – OSP12: unable to run ping as non-root user: ping: socket: Operation not permitted

Bug 1475871 - OSP12: unable to run ping as non-root user: ping: socket: Operation not permitted

Summary: OSP12: unable to run ping as non-root user: ping: socket: Operation not permi...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	diskimage-builder
Sub Component:
Version:	12.0 (Pike)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ga
Target Release:	12.0 (Pike)
Assignee:	Ben Nemec
QA Contact:	Marius Cornea
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1484480 (view as bug list)
Depends On:
Blocks:	1335596 1356451 1394872 1401639 1484480 1542211
TreeView+	depends on / blocked

Reported:	2017-07-27 13:57 UTC by Marius Cornea
Modified:	2018-02-05 20:50 UTC (History)
CC List:	14 users (show)
Fixed In Version:	diskimage-builder-2.9.0-2.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1542211 (view as bug list)
Environment:
Last Closed:	2017-12-13 21:45:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
sysctl output (78.55 KB, text/plain) 2017-07-27 13:57 UTC, Marius Cornea	no flags	Details
audit.log (970.11 KB, text/plain) 2017-07-28 15:50 UTC, Marius Cornea	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1714604	None	None	None	2017-09-05 15:35:22 UTC
OpenStack gerrit	500212	'None'	'MERGED'	'Remove nested quotes from TAROPTS'	2019-11-13 17:30:41 UTC
Red Hat Product Errata	RHEA-2017:3462	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 12.0 Enhancement Advisory	2018-02-16 01:43:25 UTC

Description Marius Cornea 2017-07-27 13:57:02 UTC

Created attachment 1305395 [details]
sysctl output

Description of problem:
With the rhel 7.4 overcloud images provided by the rhosp-director-images rpm a non-root user cannot use the ping command:

[heat-admin@controller-0 ~]$ ping 4.2.2.2
ping: socket: Operation not permitted

[heat-admin@controller-0 ~]$ stat /usr/bin/ping
  File: ‘/usr/bin/ping’
  Size: 66168     	Blocks: 136        IO Block: 4096   regular file
Device: fc02h/64514d	Inode: 1866893     Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: unconfined_u:object_r:ping_exec_t:s0
Access: 2017-07-27 12:10:35.932805586 +0000
Modify: 2017-05-22 08:13:45.000000000 +0000
Change: 2017-07-20 18:08:55.367770119 +0000
 Birth: -

[heat-admin@controller-0 ~]$ sudo grep denied /var/log/audit/audit.log
type=AVC msg=audit(1501157605.122:107): avc:  denied  { read } for  pid=16164 comm="grep" name="kvm.conf" dev="vda2" ino=8409462 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501157605.122:108): avc:  denied  { read } for  pid=16164 comm="grep" name="lockd.conf" dev="vda2" ino=8409458 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501157605.122:109): avc:  denied  { read } for  pid=16164 comm="grep" name="mlx4.conf" dev="vda2" ino=8409460 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501157605.122:110): avc:  denied  { read } for  pid=16164 comm="grep" name="truescale.conf" dev="vda2" ino=8409459 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501157605.122:111): avc:  denied  { read } for  pid=16164 comm="grep" name="tuned.conf" dev="vda2" ino=8409463 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501157605.122:112): avc:  denied  { read } for  pid=16164 comm="grep" name="vhost.conf" dev="vda2" ino=8409461 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501160462.303:4335): avc:  denied  { search } for  pid=229548 comm="local" name="keystone" dev="vda2" ino=13710671 scontext=system_u:system_r:postfix_local_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=dir
[heat-adm

Version-Release number of selected component (if applicable):
rhosp-director-images-12.0-20170726.1.el7ost.noarch
Linux controller-0 3.10.0-693.el7.x86_64 #1 SMP Thu Jul 6 19:56:57 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux

How reproducible:
100%

Steps to Reproduce:
1. Deploy overcloud with rhel 7.4 overcloud images 
2. SSH to one of the overcloud users as heat-admin users
3. ping an address/hostname

Actual results:
ping: socket: Operation not permitted

Expected results:
ping works

Additional info:

Comment 1 Mike Burns 2017-07-28 15:39:54 UTC

Please provide full audit.log from a permissive run.

If the host is permissive, does ping work?

Also, if you think this is selinux, why is it against rhosp-director and not openstack-selinux?

Comment 2 Alex Schultz 2017-07-28 15:45:48 UTC

It's not selinux related. Using setcap seems to fix it.  

$ sudo setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping

Comment 3 Marius Cornea 2017-07-28 15:50:22 UTC

(In reply to Mike Burns from comment #1)
> Please provide full audit.log from a permissive run.

Attaching audit.log

> If the host is permissive, does ping work?

No, ping doesn't work in permissive modes.

> Also, if you think this is selinux, why is it against rhosp-director and not
> openstack-selinux?

I'm not sure that this is selinux related since I get the same result when switching to permissive. I reported it agains rhosp-director because I'm seeing the issue on the images provided by the rhosp-director. Ping worked fine on a different rhel-7.4 machine, on the undercloud for example.

Comment 4 Marius Cornea 2017-07-28 15:50:59 UTC

Created attachment 1305987 [details]
audit.log

Comment 5 Mike Burns 2017-07-28 18:34:49 UTC

As noted by Alex, running setcap fixes this.  It appears to be any RHEL 7.4 based image.  I've been able to reproduce with OSP 11 and 10 images as well.

I checked our base images used to create the overcloud images and they have the right getcap values set on /bin/ping.  The generated overcloud-full images do not.

Another workaround for this is "yum reinstall iputils"

Comment 6 Lon Hohberger 2017-07-28 18:42:26 UTC

Also those AVCs are not related to ping.

Comment 8 Ben Nemec 2017-07-31 14:49:01 UTC

Wow, this is a blast from the past.  Previously the fix was to tell tar to maintain extended attributes on files: https://review.openstack.org/#/c/125428/

Maybe there's something new in 7.4 that needs to be kept?

Comment 9 Ben Nemec 2017-09-05 15:38:19 UTC

Ugh, sorry.  Didn't mean to clear all the other fields.

Comment 10 Yatin Karel 2017-09-18 10:09:30 UTC

Seen today in rdo phase1 job:- https://ci.centos.org/artifacts/rdo/jenkins-tripleo-quickstart-promote-ocata-rdo_trunk-minimal-248/undercloud/home/stack/overcloud_validate.log.gz

Comment 12 Ben Nemec 2017-11-02 22:59:13 UTC

This should already be fixed in OSP 12.  Moving to ON_QA.

Comment 15 Emilien Macchi 2017-12-05 17:13:46 UTC

*** Bug 1484480 has been marked as a duplicate of this bug. ***

Comment 17 Marius Cornea 2017-12-08 16:07:47 UTC

[heat-admin@controller-0 ~]$ ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.
64 bytes from 4.2.2.2: icmp_seq=1 ttl=53 time=58.7 ms

Comment 20 errata-xmlrpc 2017-12-13 21:45:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462

Note You need to log in before you can comment on or make changes to this bug.