Bug 1563173 - SElinux denial when saving certificate for vnc service
Summary: SElinux denial when saving certificate for vnc service
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 13.0 (Queens)
Hardware: x86_64
OS: Linux
high
high
Target Milestone: beta
: 13.0 (Queens)
Assignee: Ollie Walsh
QA Contact: Archit Modi
URL:
Whiteboard:
Depends On:
Blocks: 1534484
TreeView+ depends on / blocked
 
Reported: 2018-04-03 10:38 UTC by Damien Ciabrini
Modified: 2018-06-27 13:50 UTC (History)
13 users (show)

Fixed In Version: openstack-tripleo-heat-templates-8.0.2-0.20180327213846.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-27 13:50:03 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 559371 0 None MERGED Correct the InternalTLSVncCAFile to comply with selinux policy 2020-09-01 09:38:33 UTC
Red Hat Product Errata RHEA-2018:2086 0 None None None 2018-06-27 13:50:53 UTC

Description Damien Ciabrini 2018-04-03 10:38:25 UTC
Description of problem:
When deploying an overcloud with TLS everywhere, compute nodes cannot fetch and store the certificate for VNC because of a SELinux denial:

[root@compute-1 ~]# /usr/bin/getcert list -i libvirt-vnc-server-cert
Number of certificates and requests being tracked: 4.
Request ID 'libvirt-vnc-server-cert':
        status: NEED_CA_CERT_SAVE_PERMS
        stuck: yes
        key pair storage: type=FILE,location='/etc/pki/libvirt-vnc/server-key.pem'
        certificate: type=FILE,location='/etc/pki/libvirt-vnc/server-cert.pem'
        CA: IPA
        issuer:
        subject:
        expires: unknown
        pre-save command:
        post-save command: "systemctl reload libvirtd"
        track: yes
        auto-renew: yes
     
[root@compute-1 ~]# ls -l /etc/pki/libvirt-vnc/
total 8
lrwxrwxrwx. 1 root root   16 Apr  3 10:27 ca-cert.pem -> /etc/ipa/vnc.crt
-rw-r--r--. 1 root root 1793 Apr  3 10:27 server-cert.pem
-rw-r-----. 1 root qemu 1704 Apr  3 10:27 server-key.pem



[root@compute-1 ~]# grep -i denied /var/log/audit/audit.log
type=AVC msg=audit(1522743223.463:133): avc:  denied  { create } for  pid=15813 comm="certmonger" name="vnc.crt" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

Apparently vnc.crt should land in /etc/ipa, but is being denied creation:

[root@compute-1 ~]# ls -lZ /etc/ipa
-rw-r--r--. root root system_u:object_r:etc_t:s0       ca.crt
-rw-r--r--. root root system_u:object_r:etc_t:s0       default.conf
drwxr-xr-x. root root system_u:object_r:cert_t:s0      nssdb


Version-Release number of selected component (if applicable):
openstack-selinux-0.8.14-0.20180327131230.5afbeac.el7ost.noarch

How reproducible:
Always

Steps to Reproduce:
1. deploy an overcloud with TLS-everywhere enabled

Actual results:
Deployment fails at step1

Expected results:
Deployment should succeed

Additional info:

Comment 1 Damien Ciabrini 2018-04-03 15:42:11 UTC
Quick note: when setting SELinux to permissive, the deployment succeeds and the only denials in the audit file are:

type=AVC msg=audit(1522764949.207:133): avc:  denied  { create } for  pid=19181 comm="certmonger" name="vnc.crt" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1522764949.207:133): avc:  denied  { write } for  pid=19181 comm="certmonger" path="/etc/ipa/vnc.crt" dev="vda2" ino=9523099 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

Comment 13 errata-xmlrpc 2018-06-27 13:50:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086


Note You need to log in before you can comment on or make changes to this bug.