Bug 1560019 - OSP container images do not pass RPM verification check
Summary: OSP container images do not pass RPM verification check
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: 13.0 (Queens)
Assignee: Lon Hohberger
QA Contact: Pavel Sedlák
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-23 18:08 UTC by Alan Bishop
Modified: 2018-06-27 13:48 UTC (History)
8 users (show)

Fixed In Version: openstack-selinux-0.8.14-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1561022 (view as bug list)
Environment:
Last Closed: 2018-06-27 13:48:15 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2018:2086 None None None 2018-06-27 13:48:48 UTC

Description Alan Bishop 2018-03-23 18:08:41 UTC
Description of problem:

Base (i.e. unmodified) OSP containers are failing one of the certification
checks enforced by the system our Partners will use to distribute their OSP
container plugins. Our partner's container images won't pass the certification
checks unless the base images pass.

The test that fails is called "rpm_verify_successful" and it ensures all
packages pass the "rpm -V" test. The selinux-policy-targeted RPM fails:

[root@overcloud-controller-0 ~]# docker exec -ti -u root cinder_volume bash
()[root@overcloud-controller-0 /]# stty cols 100
()[root@overcloud-controller-0 /]# rpm -V selinux-policy-targeted
.M.......    /etc/selinux/targeted/active/users_extra

The issue appears to be incorrect permission on the users_extra file, and
if corrected the verification passes:

()[root@overcloud-controller-0 /]# ls -l /etc/selinux/targeted/active/users_extra
-rw-r--r--. 1 root root 101 Mar  6 04:56 /etc/selinux/targeted/active/users_extra
()[root@overcloud-controller-0 /]# chmod 0600 /etc/selinux/targeted/active/users_extra
()[root@overcloud-controller-0 /]# rpm -V selinux-policy-targeted
()[root@overcloud-controller-0 /]# 

I checked a couple of containers (not just cinder) and every one I checked
was affected. This makes me believe the problem lies in the "openstack-base"
image.

I also observe the problem when checking upstream TripleO containers, so
the root cause is likely upstream.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Lon Hohberger 2018-03-26 18:53:09 UTC
This is outside of containers - on RHEL 7.5 beta:

[root@localhost ~]# rpm -V selinux-policy-targeted
[root@localhost ~]# ls -lZ /etc/selinux/targeted/active/users_extra
-rw-------. root root unconfined_u:object_r:semanage_store_t:s0 /etc/selinux/targeted/active/users_extra
[root@localhost ~]# semanage port -N -m -p tcp 4444 -t mysqld_port_t
[root@localhost ~]# rpm -V selinux-policy-targeted
.M.......    /etc/selinux/targeted/active/users_extra
[root@localhost ~]# ls -lZ /etc/selinux/targeted/active/users_extra
-rw-r--r--. root root unconfined_u:object_r:semanage_store_t:s0 /etc/selinux/targeted/active/users_extra

Comment 2 Lon Hohberger 2018-03-26 18:55:08 UTC
This can be worked around in openstack-selinux

Comment 3 Lon Hohberger 2018-03-26 18:59:34 UTC
It seems when you alter something with 'semanage', the /etc/selinux/targeted/active/users_extra file is rewritten with the wrong umask.

I suspect we could simply have local_settings.sh use the right umask when installing policies.

Comment 4 Lon Hohberger 2018-03-26 19:26:24 UTC
This reproduces on 7.4, so is not a regression.

Comment 11 Pavel Sedlák 2018-06-14 18:05:12 UTC
In tested installation there is no rpm -V selinux-policy-targeted issue visible in overcloud container:

> [root@controller-0 heat-admin]# docker exec -ti -u root openstack-cinder-volume-docker-0 bash
> ()[root@controller-0 /]# stty cols 100
> ()[root@controller-0 /]# rpm -V selinux-policy-targeted
> ()[root@controller-0 /]# ls -l /etc/selinux/targeted/active/users_extra
> -rw-------. 1 root root 101 Jun 11 20:16 /etc/selinux/targeted/active/users_extra
> ()[root@controller-0 /]# rpm -q selinux-policy-targeted
> selinux-policy-targeted-3.13.1-192.el7_5.3.noarch

Also checked on controller in all containers, where given package is present, resulting with clean output.

Comment 13 errata-xmlrpc 2018-06-27 13:48:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086


Note You need to log in before you can comment on or make changes to this bug.