1676446 – Since nis_enabled is not turned on by default, it breaks deployments with custom service ports

Bug 1676446 - Since nis_enabled is not turned on by default, it breaks deployments with custom service ports

Summary: Since nis_enabled is not turned on by default, it breaks deployments with cus...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	13.0 (Queens)
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	z5
Target Release:	13.0 (Queens)
Assignee:	Julie Pichon
QA Contact:	nlevinki
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-02-12 10:18 UTC by Julie Pichon
Modified:	2022-07-09 12:56 UTC (History)
CC List:	6 users (show)
Fixed In Version:	openstack-selinux-0.8.17-2.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1671514
Environment:
Last Closed:	2019-03-14 13:34:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-17402	0	None	None	None	2022-07-09 12:56:00 UTC
Red Hat Product Errata	RHSA-2019:0564	0	None	None	None	2019-03-14 13:34:27 UTC

Description Julie Pichon 2019-02-12 10:18:52 UTC

+++ This bug was initially created as a clone of Bug #1671514 +++
+++ This bug was initially created as a clone of Bug #1489863 +++

Since nis_enabled is not automatically enabled, some deployments with custom ports are not working.

~~~
type=AVC msg=audit(1548880833.900:153941): avc:  denied  { name_connect } for  pid=4841 comm="glance-registry" dest=13357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

	Was caused by:
	The boolean nis_enabled was set incorrectly. 
	Description:
	Allow nis to enabled

	Allow access by executing:
	# setsebool -P nis_enabled 1
~~~

Step to reproduce:
- Deploy 10z9 with custom keystone port
- Spawn a stack

Actual result:

Glance registry fails with this traceback [1]

Workaround:
setsebool -P nis_enabled on

[1]
~~~
2019-01-31 11:16:07.334 4883 WARNING keystoneauth.identity.generic.base [-] Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
2019-01-31 11:16:07.336 4883 INFO eventlet.wsgi.server [-] Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/eventlet/wsgi.py", line 481, in handle_one_response
    result = self.application(self.environ, start_response)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 130, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 195, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/oslo_middleware/base.py", line 126, in __call__
    response = req.get_response(self.application)
  File "/usr/lib/python2.7/site-packages/webob/request.py", line 1299, in send
    application, catch_exc_info=False)
  File "/usr/lib/python2.7/site-packages/webob/request.py", line 1263, in call_application
    app_iter = application(self.environ, start_response)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 130, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 195, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/osprofiler/web.py", line 108, in __call__
    return request.get_response(self.application)
  File "/usr/lib/python2.7/site-packages/webob/request.py", line 1299, in send
    application, catch_exc_info=False)
  File "/usr/lib/python2.7/site-packages/webob/request.py", line 1263, in call_application
    app_iter = application(self.environ, start_response)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 130, in __call__
    resp = self.call_func(req, *args, **self.kwargs)
  File "/usr/lib/python2.7/site-packages/webob/dec.py", line 195, in call_func
    return self.func(req, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 320, in __call__
    response = self.process_request(req)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 552, in process_request
    resp = super(AuthProtocol, self).process_request(request)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 348, in process_request
    data, user_auth_ref = self._do_fetch_token(request.user_token)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 388, in _do_fetch_token
    data = self.fetch_token(token)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/__init__.py", line 684, in fetch_token
    data = self._identity_server.verify_token(token)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/_identity.py", line 214, in verify_token
    auth_ref = self._request_strategy.verify_token(user_token)
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/_identity.py", line 166, in _request_strategy
    strategy_class = self._get_strategy_class()
  File "/usr/lib/python2.7/site-packages/keystonemiddleware/auth_token/_identity.py", line 188, in _get_strategy_class
    if self._adapter.get_endpoint(version=klass.AUTH_VERSION):
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 146, in get_endpoint
    return self.session.get_endpoint(auth or self.auth, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 795, in get_endpoint
    return auth.get_endpoint(self, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 212, in get_endpoint
    service_catalog = self.get_access(session).service_catalog
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 136, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/generic/base.py", line 179, in get_auth_ref
    self._plugin = self._do_create_plugin(session)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/generic/base.py", line 174, in _do_create_plugin
    raise exceptions.DiscoveryFailure('Could not determine a suitable URL '
DiscoveryFailure: Could not determine a suitable URL for the plugin
~~~

--- Additional comment from David Vallee Delisle on 2019-02-06 13:16:29 UTC ---


They have: openstack-selinux-0.8.14-13.el7ost.noarch

[1] If that can help, here's the infringed policy.

This is a very specific use case where they use port 13357 for keystone because they followed our recommendation [2]

~~~
# sepolicy network -a /usr/bin/glance-registry
 
glance_registry_t: tcp name_connect
        111 (portmap_port_t) -- Allowed True [ nis_enabled=1 ]
        11211 (memcache_port_t)
        113 (auth_port_t) -- Allowed True [ daemons_use_tcp_wrapper=0 || nis_enabled=1 ]
        389, 636, 3268, 3269, 7389 (ldap_port_t) -- Allowed True [ nis_enabled=1 || authlogin_nsswitch_use_ldap=0 ]
        4444, 1186, 3306, 63132-63164 (mysqld_port_t)
        32768-61000 (ephemeral_port_t)
        32768-61000 (ephemeral_port_t)
        35357 (keystone_port_t)
        5000 (commplex_main_port_t)
        53 (dns_port_t)
        80, 81, 443, 488, 8008, 8009, 8443, 9000 (http_port_t)
        88, 750, 4444 (kerberos_port_t) -- Allowed True [ nis_enabled=1 || kerberos_enabled=1 ]
        8955 (dnssec_port_t)
        9080 (ocsp_port_t) -- Allowed True [ kerberos_enabled=1 ]
        all ports < 1024 (reserved_port_type) -- Allowed True [ nis_enabled=1 ]
        all ports with out defined types (port_t) -- Allowed True [ nis_enabled=1 ]
 
glance_registry_t: tcp name_bind
        32768-61000 (ephemeral_port_t) -- Allowed True [ nis_enabled=1 ]
        9191 (glance_registry_port_t)
        all ports with out defined types (port_t) -- Allowed True [ nis_enabled=1 ]
 
glance_registry_t: udp name_bind
        32768-61000 (ephemeral_port_t) -- Allowed True [ nis_enabled=1 ]
        all ports with out defined types (port_t) -- Allowed True [ nis_enabled=1 ]
~~~

--- Additional comment from Julie Pichon on 2019-02-08 10:41:13 UTC ---

Thank you for the reply and additional information. After investigating further, it looks like the issue that caused the booleans to not get picked up in some contexts was resolved, so reenabling this one for now should be ok.

Comment 17 errata-xmlrpc 2019-03-14 13:34:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0564

Note You need to log in before you can comment on or make changes to this bug.