Bug 1477720 - rhosp-director: OSP12: Selinux AVC messages on OC nodes and cannot launch instance when enabled
rhosp-director: OSP12: Selinux AVC messages on OC nodes and cannot launch ins...
Status: CLOSED CURRENTRELEASE
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director (Show other bugs)
12.0 (Pike)
Unspecified Unspecified
urgent Severity high
: ga
: 12.0 (Pike)
Assigned To: Lon Hohberger
Alexander Chuzhoy
: AutomationBlocker, Triaged
: 1477324 1480673 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-02 13:28 EDT by Alexander Chuzhoy
Modified: 2017-10-11 07:46 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-18 16:11:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alexander Chuzhoy 2017-08-02 13:28:04 EDT
rhosp-director: OSP12: Selinux AVC messages on OC nodes 
Environment:
libselinux-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7.noarch
libselinux-python-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7.noarch
ceph-selinux-10.2.7-28.el7cp.x86_64
openstack-selinux-0.8.8-0.20170622195307.74ddc0e.el7ost.noarch
libselinux-ruby-2.5-11.el7.x86_64
container-selinux-2.19-2.1.el7.noarch
openstack-puppet-modules-10.0.0-0.20170315222135.0333c73.el7.1.noarch
openstack-tripleo-heat-templates-7.0.0-0.20170721174554.el7ost.noarch
instack-undercloud-7.1.1-0.20170714211622.el7ost.noarch



Steps to reproduce:
Deploy OSP12
Check audit.log for avc messages.

Result:
type=AVC msg=audit(1501691231.893:201): avc:  denied  { read } for  pid=20741 comm="grep" name="kvm.conf" dev="vda2" ino=97 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501691231.893:202): avc:  denied  { read } for  pid=20741 comm="grep" name="lockd.conf" dev="vda2" ino=96 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501691231.893:203): avc:  denied  { read } for  pid=20741 comm="grep" name="mlx4.conf" dev="vda2" ino=99 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501691231.893:204): avc:  denied  { read } for  pid=20741 comm="grep" name="truescale.conf" dev="vda2" ino=100 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501691231.893:205): avc:  denied  { read } for  pid=20741 comm="grep" name="tuned.conf" dev="vda2" ino=101 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1501691231.893:206): avc:  denied  { read } for  pid=20741 comm="grep" name="vhost.conf" dev="vda2" ino=98 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file
type=USER_AVC msg=audit(1501691823.328:1123): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/run/systemd/system/docker-b0ffc486aa3f237e588bea5dc6789209433442d0c79bbb171a7c2e152243d546.scope" cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1501691823.328:1124): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/run/systemd/system/docker-b0ffc486aa3f237e588bea5dc6789209433442d0c79bbb171a7c2e152243d546.scope" cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1501692080.561:1554): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/run/systemd/system/docker-74a42c6ae84a7226af84d3bf0525993676624bb748ffc869808d619b6cb74f06.scope" cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1501692080.561:1555): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/run/systemd/system/docker-74a42c6ae84a7226af84d3bf0525993676624bb748ffc869808d619b6cb74f06.scope" cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:container_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Comment 1 Alexander Chuzhoy 2017-08-02 13:29:28 EDT
Note: The deployment with selinux in OC nodes set to enforced completed successfully.
Comment 2 Alexander Chuzhoy 2017-08-02 13:46:51 EDT
When trying to launch a nova instance on compute the following entries are added:

type=AVC msg=audit(1501695361.139:584): avc:  denied  { search } for  pid=55385 comm="virtlogd" name="54529" dev="proc" ino=1151016 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spc_t:s0 tclass=dir
type=AVC msg=audit(1501695361.140:585): avc:  denied  { search } for  pid=55385 comm="virtlogd" name="54529" dev="proc" ino=1151016 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spc_t:s0 tclass=dir
Comment 3 Alexander Chuzhoy 2017-08-02 13:54:58 EDT
setting selinux to permissive on compute nodes makes it possible to launch nova instance that failes with selinux deny message in comment #2
Comment 4 Alexander Chuzhoy 2017-08-02 13:58:00 EDT
*** Bug 1477324 has been marked as a duplicate of this bug. ***
Comment 6 Alexander Chuzhoy 2017-08-11 13:22:00 EDT
*** Bug 1480673 has been marked as a duplicate of this bug. ***
Comment 7 Lon Hohberger 2017-09-18 16:11:35 EDT
Doesn't seem to reproduce any more after talking with QE.

Note You need to log in before you can comment on or make changes to this bug.