1477720 – rhosp-director: OSP12: Selinux AVC messages on OC nodes and cannot launch instance when enabled

Bug 1477720 - rhosp-director: OSP12: Selinux AVC messages on OC nodes and cannot launch instance when enabled

Summary: rhosp-director: OSP12: Selinux AVC messages on OC nodes and cannot launch ins...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	rhosp-director
Sub Component:
Version:	12.0 (Pike)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	ga
Target Release:	12.0 (Pike)
Assignee:	Lon Hohberger
QA Contact:	Alexander Chuzhoy
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1477324 1480673 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-02 17:28 UTC by Alexander Chuzhoy
Modified:	2022-03-13 14:22 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-09-18 20:11:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Alexander Chuzhoy 2017-08-02 17:28:04 UTC

rhosp-director: OSP12: Selinux AVC messages on OC nodes 
Environment:
libselinux-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7.noarch
libselinux-python-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7.noarch
ceph-selinux-10.2.7-28.el7cp.x86_64
openstack-selinux-0.8.8-0.20170622195307.74ddc0e.el7ost.noarch
libselinux-ruby-2.5-11.el7.x86_64
container-selinux-2.19-2.1.el7.noarch
openstack-puppet-modules-10.0.0-0.20170315222135.0333c73.el7.1.noarch
openstack-tripleo-heat-templates-7.0.0-0.20170721174554.el7ost.noarch
instack-undercloud-7.1.1-0.20170714211622.el7ost.noarch



Steps to reproduce:
Deploy OSP12
Check audit.log for avc messages.

Result:
type=AVC msg=audit(1501691231.893:201): avc:  denied  { read } for  pid=20741 comm="grep" name="kvm.conf" dev="vda2" ino=97 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501691231.893:202): avc:  denied  { read } for  pid=20741 comm="grep" name="lockd.conf" dev="vda2" ino=96 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501691231.893:203): avc:  denied  { read } for  pid=20741 comm="grep" name="mlx4.conf" dev="vda2" ino=99 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501691231.893:204): avc:  denied  { read } for  pid=20741 comm="grep" name="truescale.conf" dev="vda2" ino=100 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501691231.893:205): avc:  denied  { read } for  pid=20741 comm="grep" name="tuned.conf" dev="vda2" ino=101 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501691231.893:206): avc:  denied  { read } for  pid=20741 comm="grep" name="vhost.conf" dev="vda2" ino=98 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=USER_AVC msg=audit(1501691823.328:1123): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/run/systemd/system/docker-b0ffc486aa3f237e588bea5dc6789209433442d0c79bbb171a7c2e152243d546.scope" cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1501691823.328:1124): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/run/systemd/system/docker-b0ffc486aa3f237e588bea5dc6789209433442d0c79bbb171a7c2e152243d546.scope" cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1501692080.561:1554): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/run/systemd/system/docker-74a42c6ae84a7226af84d3bf0525993676624bb748ffc869808d619b6cb74f06.scope" cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1501692080.561:1555): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/run/systemd/system/docker-74a42c6ae84a7226af84d3bf0525993676624bb748ffc869808d619b6cb74f06.scope" cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Comment 1 Alexander Chuzhoy 2017-08-02 17:29:28 UTC

Note: The deployment with selinux in OC nodes set to enforced completed successfully.

Comment 2 Alexander Chuzhoy 2017-08-02 17:46:51 UTC

When trying to launch a nova instance on compute the following entries are added:

type=AVC msg=audit(1501695361.139:584): avc:  denied  { search } for  pid=55385 comm="virtlogd" name="54529" dev="proc" ino=1151016 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spc_t:s0 tclass=dir
type=AVC msg=audit(1501695361.140:585): avc:  denied  { search } for  pid=55385 comm="virtlogd" name="54529" dev="proc" ino=1151016 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spc_t:s0 tclass=dir

Comment 3 Alexander Chuzhoy 2017-08-02 17:54:58 UTC

setting selinux to permissive on compute nodes makes it possible to launch nova instance that failes with selinux deny message in comment #2

Comment 4 Alexander Chuzhoy 2017-08-02 17:58:00 UTC

*** Bug 1477324 has been marked as a duplicate of this bug. ***

Comment 6 Alexander Chuzhoy 2017-08-11 17:22:00 UTC

*** Bug 1480673 has been marked as a duplicate of this bug. ***

Comment 7 Lon Hohberger 2017-09-18 20:11:35 UTC

Doesn't seem to reproduce any more after talking with QE.

Note You need to log in before you can comment on or make changes to this bug.