1641743 – On RHEL 7.6 Undercloud installation fails on nova-api: sudo in nova-rootwrap blocked by SELinux

Bug 1641743 - On RHEL 7.6 Undercloud installation fails on nova-api: sudo in nova-rootwrap blocked by SELinux

Summary: On RHEL 7.6 Undercloud installation fails on nova-api: sudo in nova-rootwrap ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Linux
Priority:	urgent
Severity:	high
Target Milestone:	z3
Target Release:	10.0 (Newton)
Assignee:	Zoli Caplovic
QA Contact:	Julie Pichon
Docs Contact:
URL:
Whiteboard:
Depends On:	1638547 1638548 1640528 1641671
Blocks:	1641746
TreeView+	depends on / blocked

Reported:	2018-10-22 15:26 UTC by Zoli Caplovic
Modified:	2019-04-30 16:59 UTC (History)
CC List:	6 users (show)
Fixed In Version:	openstack-selinux-0.8.15-1.el7ost
Doc Type:	Rebase: Bug Fixes and Enhancements
Doc Text:
Clone Of:	1641671
Clones:	1641746 (view as bug list)
Environment:
Last Closed:	2019-04-30 16:59:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:0922	0	None	None	None	2019-04-30 16:59:48 UTC

Comment 2 Lon Hohberger 2018-11-01 10:43:17 UTC

According to our records, this should be resolved by openstack-selinux-0.8.15-1.el7ost.  This build is available now.

Comment 3 Julie Pichon 2019-04-23 15:49:02 UTC

Sanity-check:

$ rpm -q openstack-selinux
openstack-selinux-0.8.18-1.el7ost.noarch

$ ls /usr/share/openstack-selinux/0.8.18/tests/ | grep 1640528 (bug referenced in the commit from the description)
bz1640528

$ grep execute /usr/share/openstack-selinux/0.8.18/tests/bz1640528 (similar AVC to description)
type=AVC msg=audit(...): avc:  denied  { execute } for  pid=... comm="sudo" name="unix_chkpwd" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1

$ sudo /usr/share/openstack-selinux/0.8.18/tests/check_all 
Results: 797 total, 0 failed
Overall result: PASS

Comment 5 errata-xmlrpc 2019-04-30 16:59:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0922

Note You need to log in before you can comment on or make changes to this bug.