Bug 1532641 - Undercloud installation fails with selinux
Summary: Undercloud installation fails with selinux
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: instack-undercloud
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: 13.0 (Queens)
Assignee: Sofer Athlan-Guyot
QA Contact: Gurenko Alex
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-09 13:50 UTC by Gurenko Alex
Modified: 2018-06-27 13:42 UTC (History)
6 users (show)

Fixed In Version: instack-undercloud-8.1.1-0.20180117134321.el7ost
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2018-06-27 13:41:30 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Launchpad 1711564 None None None 2018-01-09 20:04:27 UTC
Launchpad 1736246 None None None 2018-01-09 20:08:15 UTC
OpenStack gerrit 495157 None master: MERGED instack-undercloud: Make sure selinux permissions are correct on ~/.ssh. (Ifc76d3717f4f214f9f3d55ccbafdbcc0180c31c1) 2018-02-07 14:01:38 UTC
OpenStack gerrit 525911 None master: MERGED instack-undercloud: Fix wrong path in ssh selinux issue detection. (Ib5873383632a1141c8dd3859b34ca29904020790) 2018-02-07 14:01:27 UTC
OpenStack gerrit 528698 None master: MERGED instack-undercloud: Fix wrong flag to prevent failure when selinux perm are correct. (I39e42ff54fd7a461f7a03cfb8be17db92... 2018-02-07 14:01:20 UTC
Red Hat Product Errata RHEA-2018:2086 None None None 2018-06-27 13:42:00 UTC

Description Gurenko Alex 2018-01-09 13:50:19 UTC
Description of problem: when trying to install RHOS 13, undercloud installation fails.


Version-Release number of selected component (if applicable): 2018-01-03.2 (current latest)


How reproducible: try installing undercloud


Steps to Reproduce:
1. 
2.
3.

Actual results:

2018-01-09 07:35:42,632 INFO: find: '/home/.ssh/': No such file or directory
2018-01-09 07:35:42,633 INFO: + selinux_wrong_permission=
2018-01-09 07:35:42,634 INFO: [2018-01-09 07:35:42,633] (os-refresh-config) [ERROR] during post-configure phase. [Command '['dib-run-parts', '/usr/libexec/os-refresh-config/post-configure.d']' returned non-zero exit status 1]
2018-01-09 07:35:42,634 INFO:
2018-01-09 07:35:42,634 INFO: [2018-01-09 07:35:42,633] (os-refresh-config) [ERROR] Aborting...
2018-01-09 07:35:42,640 DEBUG: An exception occurred
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 1875, in install
    _run_orc(instack_env)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 1391, in _run_orc
    _run_live_command(args, instack_env, 'os-refresh-config')
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 606, in _run_live_command
    raise RuntimeError('%s failed. See log for details.' % name)
RuntimeError: os-refresh-config failed. See log for details.
2018-01-09 07:35:42,641 ERROR:
#############################################################################
Undercloud install failed.

Reason: os-refresh-config failed. See log for details.

See the previous output for details about what went wrong.  The full install
log can be found at /home/stack/.instack/install-undercloud.log.

#############################################################################


Expected results:

Undercloud installs successfully


Additional info:

[root@undercloud-0 audit]# sealert -a audit.log
100% done
found 1 alerts in audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/lib64/erlang/erts-7.3.1.4/bin/inet_gethost from read access on the file unix.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that inet_gethost should be allowed read access on the unix file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'inet_gethost' --raw | audit2allow -M my-inetgethost
# semodule -i my-inetgethost.pp


Additional Information:
Source Context                system_u:system_r:rabbitmq_t:s0
Target Context                system_u:object_r:proc_net_t:s0
Target Objects                unix [ file ]
Source                        inet_gethost
Source Path                   /usr/lib64/erlang/erts-7.3.1.4/bin/inet_gethost
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           erlang-erts-18.3.4.7-1.el7ost.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-166.el7_4.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     undercloud-0.redhat.local
Platform                      Linux undercloud-0.redhat.local
                              3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Dec 28
                              14:23:39 EST 2017 x86_64 x86_64
Alert Count                   2
First Seen                    2018-01-09 07:26:30 EST
Last Seen                     2018-01-09 07:26:32 EST
Local ID                      834df1a6-4978-4987-ae91-57e399ddd7bb

Raw Audit Messages
type=AVC msg=audit(1515500792.651:615): avc:  denied  { read } for  pid=13941 comm="inet_gethost" name="unix" dev="proc" ino=4026532003 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file


type=SYSCALL msg=audit(1515500792.651:615): arch=x86_64 syscall=access success=no exit=EACCES a0=7ffef354f880 a1=4 a2=7ffef354f88e a3=3 items=0 ppid=13940 pid=13941 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=inet_gethost exe=/usr/lib64/erlang/erts-7.3.1.4/bin/inet_gethost subj=system_u:system_r:rabbitmq_t:s0 key=(null)

Hash: inet_gethost,rabbitmq_t,proc_net_t,file,read

setting selinux to permissive allows to pass this stage.

Comment 2 Gurenko Alex 2018-02-15 07:28:45 UTC
Latest puddle (2018-02-07.4) installs undercloud successfully.

Comment 6 Sofer Athlan-Guyot 2018-06-21 10:45:57 UTC
No doc text required.

Comment 8 errata-xmlrpc 2018-06-27 13:41:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086


Note You need to log in before you can comment on or make changes to this bug.