Bug 1747957
| Summary: | SELinux prevents OSP15 certificates to be created in default location (NEED_CA_CERT_SAVE_PERMS, | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Waldemar Znoinski <wznoinsk> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | urgent | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.0 | CC: | alee, jpichon, lvrabec, mmalik, plautrba, ssekidde, zpytela |
| Target Milestone: | rc | ||
| Target Release: | 8.2 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-09-04 14:17:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi, How was this file created on filesystem? Installed from RPM? Created by some process? Could you please attach full path of cert file from that system? # find / -xdev -inum 7155884 The label of that file should be cert_t, but I need to know full path to fix it in policy. Thanks, Lukas. Shouldn't this be a simple "restorecon" ? This really looks a whole lot like https://bugzilla.redhat.com/show_bug.cgi?id=1743485 There is no reason that certmonger should be writing to ca.crt -- whats the full path of this? Are we sure the fix for the above bug made it into the tested build? I've seen the issue with:
openstack-tripleo-heat-templates.noarch 10.6.1-0.20190826150036.30390bc.el8ost @rhelosp-15.0
puddle:
ContainerImagePrepare:
- push_destination: true
set:
ceph_image: rhceph-4.0-rhel8
ceph_namespace: docker-registry.upshift.redhat.com/ceph
ceph_tag: latest
name_prefix: openstack-
name_suffix: ''
namespace: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/rhosp15
neutron_driver: ovn
tag: 20190829.2
according to https://bugzilla.redhat.com/show_bug.cgi?id=1743485 and its 'Fixed in version' I should not see it, if the issue I saw was caused by the same issue as in that (1743485) bug.. but apparently, since I still saw it with newer puddle and tripleo-heat-templates package, it's a different issue..
altho I've tried to reproduce it today with:
[stack@undercloud-0 ~]$ yum list installed | grep -i selinux
container-selinux.noarch 2:2.94-1.git1e99f1d.module+el8.0.0+2958+4e823551 @rhosp-rhel-8.0-appstream
libselinux.x86_64 2.8-6.el8 @anaconda
libselinux-ruby.x86_64 2.8-6.el8 @rhosp-rhel-8.0-appstream
libselinux-utils.x86_64 2.8-6.el8 @anaconda
openstack-selinux.noarch 0.8.20-0.20190823110429.50e6b42.el8ost @rhelosp-15.0
openvswitch-selinux-extra-policy.noarch 1.0-18.el8fdp @rhosp-rhel-8.0-fdp
pcp-selinux.x86_64 4.3.0-4.el8_0 @rhosp-rhel-8.0-appstream
python3-libselinux.x86_64 2.8-6.el8 @anaconda
rpm-plugin-selinux.x86_64 4.14.2-10.el8_0 @rhosp-rhel-8.0-baseos
selinux-policy.noarch 3.14.1-61.el8_0.1 @rhosp-rhel-8.0-baseos
selinux-policy-targeted.noarch 3.14.1-61.el8_0.1 @rhosp-rhel-8.0-baseos
openstack-tripleo-heat-templates.noarch 10.6.1-0.20190826150036.30390bc.el8ost @rhelosp-15.0
puddle:
RHOS_TRUNK-15.0-RHEL-8-20190830.n.0
so 10 days younger release of openstack-selinux and the timeout didn't appear (compared to 100% of appearance before)
I'm going to redeploy with new puddle/selinux/tht once more - if the issue does not surface, then I'll close this bug off
can't reproduce the issue anymore, seems to be gone for good (3 deployments with no issues) *** This bug has been marked as a duplicate of bug 1743485 *** |
Description of problem: when deploying openstack OSP15 on RHEL8 host, selinux prevents CA certs to be created in default location it's a blocker issue for OSP15 rel. from audit.log type=AVC msg=audit(1567417386.592:11344): avc: denied { write } for pid=942 comm="certmonger" name="ca.crt" dev="vda2" ino=7155884 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:etc_t:s 0 tclass=file permissive=0 it results in the cert being stuck: [root@controller-0 ~]# getcert list -i libvirt-vnc-client-cert Number of certificates and requests being tracked: 21. Request ID 'libvirt-vnc-client-cert': status: NEED_CA_CERT_SAVE_PERMS stuck: yes key pair storage: type=FILE,location='/etc/pki/libvirt-vnc/client-key.pem' certificate: type=FILE,location='/etc/pki/libvirt-vnc/client-cert.pem' CA: IPA issuer: CN=Certificate Authority,O=REDHAT.LOCAL subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL expires: 2021-08-30 13:22:25 UTC dns: controller-0.internalapi.redhat.local principal name: libvirt-vnc/controller-0.internalapi.redhat.local key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: systemctl reload libvirtd track: yes auto-renew: yes the 'libvirt-vnc-client-cert' is being stuck and prevents any other (including OSP ones) cert from being processed obviously hence it's a general selinux issue ... only in this case affecting OSP deployments Version-Release number of selected component (if applicable): RHEL: [root@controller-0 ~]# cat /etc/*release NAME="Red Hat Enterprise Linux" VERSION="8.0 (Ootpa)" ID="rhel" ID_LIKE="fedora" VERSION_ID="8.0" PLATFORM_ID="platform:el8" PRETTY_NAME="Red Hat Enterprise Linux 8.0 (Ootpa)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8.0:GA" HOME_URL="https://www.redhat.com/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8" REDHAT_BUGZILLA_PRODUCT_VERSION=8.0 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="8.0" Red Hat Enterprise Linux release 8.0 (Ootpa) Red Hat OpenStack Platform release 15.0.0 Beta (Stein) Red Hat Enterprise Linux release 8.0 (Ootpa) [root@controller-0 ~]# uname -a Linux controller-0.redhat.local 4.18.0-80.7.2.el8_0.x86_64 #1 SMP Fri Jul 26 10:48:21 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux [root@controller-0 ~]# yum list installed | grep -i selinux container-selinux.noarch 2:2.94-1.git1e99f1d.module+el8.0.0+2958+4e823551 @rhos-15.0-rhel-8-appstream libselinux.x86_64 2.8-6.el8 @anaconda libselinux-ruby.x86_64 2.8-6.el8 @rhos-15.0-rhel-8-appstream libselinux-utils.x86_64 2.8-6.el8 @anaconda openstack-selinux.noarch 0.8.19-0.20190813150447.72046d3.el8ost @rhos-15.0 openvswitch-selinux-extra-policy.noarch 1.0-18.el8fdp @rhos-15.0-rhel-8-fast-datapath python3-libselinux.x86_64 2.8-6.el8 @anaconda rpm-plugin-selinux.x86_64 4.14.2-10.el8_0 @koji-override-0 selinux-policy.noarch 3.14.1-61.el8_0.1 @koji-override-0 selinux-policy-targeted.noarch 3.14.1-61.el8_0.1 @koji-override-0 How reproducible: 100% Steps to Reproduce: 1. deploy OSP15 on RHEL8 2. 3. Actual results: OSP deployment fails due to timeout - waiting for certmonger to issue cert Expected results: selinux to allow certmoneger to create CA files, OSP to deploy successfully Additional info: I have an internal RH machine with this issue reproduced if one needs it for troubleshooting