1671514 – Since nis_enabled is not turned on by default, it breaks deployments with custom service ports

Bug 1671514 - Since nis_enabled is not turned on by default, it breaks deployments with custom service ports

Summary: Since nis_enabled is not turned on by default, it breaks deployments with cus...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	10.0 (Newton)
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	zstream
Target Release:	10.0 (Newton)
Assignee:	Julie Pichon
QA Contact:	Julie Pichon
Docs Contact:
URL:
Whiteboard:
Depends On:	1489863
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-31 19:11 UTC by David Vallee Delisle
Modified:	2023-03-24 14:32 UTC (History)
CC List:	4 users (show)
Fixed In Version:	openstack-selinux-0.8.17-2.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1489863
Clones:	1676446 (view as bug list)
Environment:
Last Closed:	2019-04-30 16:59:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	e16a8f8ef52cc5147b73dda508f7da41368b7ea8	0	None	None	None	2020-02-12 11:54:11 UTC
Red Hat Product Errata	RHBA-2019:0922	0	None	None	None	2019-04-30 16:59:48 UTC

Description David Vallee Delisle 2019-01-31 19:11:39 UTC

+++ This bug was initially created as a clone of Bug #1489863 +++

Since nis_enabled is not automatically enabled, some deployments with custom ports are not working.

~~~
type=AVC msg=audit(1548880833.900:153941): avc:  denied  { name_connect } for  pid=4841 comm="glance-registry" dest=13357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

	Was caused by:
	The boolean nis_enabled was set incorrectly. 
	Description:
	Allow nis to enabled

	Allow access by executing:
	# setsebool -P nis_enabled 1
~~~

Step to reproduce:
- Deploy 10z9 with custom keystone port
- Spawn a stack

Actual result:

Glance registry fails with this traceback [1]

Workaround:
setsebool -P nis_enabled on

[1]
~~~
2019-01-31 11:16:07.334 4883 WARNING keystoneauth.identity.generic.base [-] Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
2019-01-31 11:16:07.336 4883 INFO eventlet.wsgi.server [-] Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/eventlet/wsgi.py", line 481, in handle_one_response
    result = self.application(self.environ, start_response)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 130, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 195, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/oslo_middleware/base.py", line 126, in __call__
    response = req.get_response(self.application)
  File "/usr/lib/python2.7/site-packages/webob/request.py", line 1299, in send
    application, catch_exc_info=False)
  File "/usr/lib/python2.7/site-packages/webob/request.py", line 1263, in call_application
    app_iter = application(self.environ, start_response)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 130, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 195, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/osprofiler/web.py", line 108, in __call__
    return request.get_response(self.application)
  File "/usr/lib/python2.7/site-packages/webob/request.py", line 1299, in send
    application, catch_exc_info=False)
  File "/usr/lib/python2.7/site-packages/webob/request.py", line 1263, in call_application
    app_iter = application(self.environ, start_response)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 130, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 195, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 320, in __call__
    response = self.process_request(req)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 552, in process_request
    resp = super(AuthProtocol, self).process_request(request)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 348, in process_request
    data, user_auth_ref = self._do_fetch_token(request.user_token)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 388, in _do_fetch_token
    data = self.fetch_token(token)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 684, in fetch_token
    data = self._identity_server.verify_token(token)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/_identity.py", line 214, in verify_token
    auth_ref = self._request_strategy.verify_token(user_token)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/_identity.py", line 166, in _request_strategy
    strategy_class = self._get_strategy_class()
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/_identity.py", line 188, in _get_strategy_class
    if self._adapter.get_endpoint(version=klass.AUTH_VERSION):
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 146, in get_endpoint
    return self.session.get_endpoint(auth or self.auth, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 795, in get_endpoint
    return auth.get_endpoint(self, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 212, in get_endpoint
    service_catalog = self.get_access(session).service_catalog
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 136, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/generic/base.py", line 179, in get_auth_ref
    self._plugin = self._do_create_plugin(session)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/generic/base.py", line 174, in _do_create_plugin
    raise exceptions.DiscoveryFailure('Could not determine a suitable URL '
DiscoveryFailure: Could not determine a suitable URL for the plugin
~~~

Comment 1 Julie Pichon 2019-02-06 10:03:14 UTC

Hi, could you confirm which openstack-selinux RPM version is installed? Thank you.

Comment 2 Julie Pichon 2019-02-06 10:54:52 UTC

Also, it would be useful to run the command again with SELinux in permissive mode and provide the audit.log, in case there are other AVCs we need to make sure are cleared. Thank you.

Comment 4 David Vallee Delisle 2019-02-06 13:16:29 UTC

They have: openstack-selinux-0.8.14-13.el7ost.noarch

[1] If that can help, here's the infringed policy.

This is a very specific use case where they use port 13357 for keystone because they followed our recommendation [2]

~~~
# sepolicy network -a /usr/bin/glance-registry
 
glance_registry_t: tcp name_connect
        111 (portmap_port_t) -- Allowed True [ nis_enabled=1 ]
        11211 (memcache_port_t)
        113 (auth_port_t) -- Allowed True [ daemons_use_tcp_wrapper=0 || nis_enabled=1 ]
        389, 636, 3268, 3269, 7389 (ldap_port_t) -- Allowed True [ nis_enabled=1 || authlogin_nsswitch_use_ldap=0 ]
        4444, 1186, 3306, 63132-63164 (mysqld_port_t)
        32768-61000 (ephemeral_port_t)
        32768-61000 (ephemeral_port_t)
        35357 (keystone_port_t)
        5000 (commplex_main_port_t)
        53 (dns_port_t)
        80, 81, 443, 488, 8008, 8009, 8443, 9000 (http_port_t)
        88, 750, 4444 (kerberos_port_t) -- Allowed True [ nis_enabled=1 || kerberos_enabled=1 ]
        8955 (dnssec_port_t)
        9080 (ocsp_port_t) -- Allowed True [ kerberos_enabled=1 ]
        all ports < 1024 (reserved_port_type) -- Allowed True [ nis_enabled=1 ]
        all ports with out defined types (port_t) -- Allowed True [ nis_enabled=1 ]
 
glance_registry_t: tcp name_bind
        32768-61000 (ephemeral_port_t) -- Allowed True [ nis_enabled=1 ]
        9191 (glance_registry_port_t)
        all ports with out defined types (port_t) -- Allowed True [ nis_enabled=1 ]
 
glance_registry_t: udp name_bind
        32768-61000 (ephemeral_port_t) -- Allowed True [ nis_enabled=1 ]
        all ports with out defined types (port_t) -- Allowed True [ nis_enabled=1 ]
~~~

Comment 5 Julie Pichon 2019-02-08 10:41:13 UTC

Thank you for the reply and additional information. After investigating further, it looks like the issue that caused the booleans to not get picked up in some contexts was resolved, so reenabling this one for now should be ok.

Comment 14 Julie Pichon 2019-04-23 15:37:45 UTC

https://github.com/redhat-openstack/openstack-selinux/commit/282e8a1e450703e7c9f78121c9b0d2e00228fb55

Sanity-check:

$ rpm -q openstack-selinux
openstack-selinux-0.8.18-1.el7ost.noarch

$ ls /usr/share/openstack-selinux/0.8.18/tests/ | grep 1671514
bz1671514

$ sudo /usr/share/openstack-selinux/0.8.18/tests/check_all 
Results: 797 total, 0 failed
Overall result: PASS

Comment 16 errata-xmlrpc 2019-04-30 16:59:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0922

Note You need to log in before you can comment on or make changes to this bug.