Red Hat Bugzilla – Bug 1560019
OSP container images do not pass RPM verification check
Last modified: 2018-06-27 09:48:48 EDT
Description of problem: Base (i.e. unmodified) OSP containers are failing one of the certification checks enforced by the system our Partners will use to distribute their OSP container plugins. Our partner's container images won't pass the certification checks unless the base images pass. The test that fails is called "rpm_verify_successful" and it ensures all packages pass the "rpm -V" test. The selinux-policy-targeted RPM fails: [root@overcloud-controller-0 ~]# docker exec -ti -u root cinder_volume bash ()[root@overcloud-controller-0 /]# stty cols 100 ()[root@overcloud-controller-0 /]# rpm -V selinux-policy-targeted .M....... /etc/selinux/targeted/active/users_extra The issue appears to be incorrect permission on the users_extra file, and if corrected the verification passes: ()[root@overcloud-controller-0 /]# ls -l /etc/selinux/targeted/active/users_extra -rw-r--r--. 1 root root 101 Mar 6 04:56 /etc/selinux/targeted/active/users_extra ()[root@overcloud-controller-0 /]# chmod 0600 /etc/selinux/targeted/active/users_extra ()[root@overcloud-controller-0 /]# rpm -V selinux-policy-targeted ()[root@overcloud-controller-0 /]# I checked a couple of containers (not just cinder) and every one I checked was affected. This makes me believe the problem lies in the "openstack-base" image. I also observe the problem when checking upstream TripleO containers, so the root cause is likely upstream. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
This is outside of containers - on RHEL 7.5 beta: [root@localhost ~]# rpm -V selinux-policy-targeted [root@localhost ~]# ls -lZ /etc/selinux/targeted/active/users_extra -rw-------. root root unconfined_u:object_r:semanage_store_t:s0 /etc/selinux/targeted/active/users_extra [root@localhost ~]# semanage port -N -m -p tcp 4444 -t mysqld_port_t [root@localhost ~]# rpm -V selinux-policy-targeted .M....... /etc/selinux/targeted/active/users_extra [root@localhost ~]# ls -lZ /etc/selinux/targeted/active/users_extra -rw-r--r--. root root unconfined_u:object_r:semanage_store_t:s0 /etc/selinux/targeted/active/users_extra
This can be worked around in openstack-selinux
It seems when you alter something with 'semanage', the /etc/selinux/targeted/active/users_extra file is rewritten with the wrong umask. I suspect we could simply have local_settings.sh use the right umask when installing policies.
This reproduces on 7.4, so is not a regression.
https://github.com/redhat-openstack/openstack-selinux/commit/5afbeac1cc251a823aa0517fc5256a4f8697151e
Built in RDO Queens Trunk https://trunk.rdoproject.org/centos7-queens/5a/fb/5afbeac1cc251a823aa0517fc5256a4f8697151e_0b604285/openstack-selinux-0.8.14-0.20180327131230.5afbeac.el7.centos.noarch.rpm
In tested installation there is no rpm -V selinux-policy-targeted issue visible in overcloud container: > [root@controller-0 heat-admin]# docker exec -ti -u root openstack-cinder-volume-docker-0 bash > ()[root@controller-0 /]# stty cols 100 > ()[root@controller-0 /]# rpm -V selinux-policy-targeted > ()[root@controller-0 /]# ls -l /etc/selinux/targeted/active/users_extra > -rw-------. 1 root root 101 Jun 11 20:16 /etc/selinux/targeted/active/users_extra > ()[root@controller-0 /]# rpm -q selinux-policy-targeted > selinux-policy-targeted-3.13.1-192.el7_5.3.noarch Also checked on controller in all containers, where given package is present, resulting with clean output.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086