Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1748885

Summary: Discrepancies between selinux rules in tripleo-heat-templates and openstack-selinux put some service at risk during update.
Product: Red Hat OpenStack Reporter: Sofer Athlan-Guyot <sathlang>
Component: openstack-selinuxAssignee: Julie Pichon <jpichon>
Status: CLOSED INSUFFICIENT_DATA QA Contact: nlevinki <nlevinki>
Severity: medium Docs Contact:
Priority: medium    
Version: 15.0 (Stein)CC: lhh, lvrabec, zcaplovi
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-02 09:19:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sofer Athlan-Guyot 2019-09-04 11:29:49 UTC 
Description of problem:  When doing an update of the undercloud for instance, swift will be unavailable during the update if openstack-selinux is updated.

It will come back to normal operation after the update is completed.

This is because the politic in the openstack-selinux and in tht disagree:

 - for instance https://github.com/redhat-openstack/openstack-selinux/blob/master/local_settings.sh.in#L50
 - relative to https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/swift/swift-storage-container-puppet.yaml#L589

This will make the srv directory unavailable for swift (you get error 500 if you try to put something in there) until the ansible code is run again.

All in all we can be at risk of service unavailability during update. 

I'm currently determining exactly what policies are modified during openstack-selinux install relative to a working deployment to get a complete list of discrepancies.  I will log the results here.

Thanks,
Comment 1 Julie Pichon 2019-09-25 10:11:21 UTC 
Hi! Any luck/update with catching the additional label discrepancies? Thank you.
Comment 2 Julie Pichon 2019-11-20 11:37:27 UTC 
Possibly related: https://bugzilla.redhat.com/show_bug.cgi?id=1773892

Also maybe https://bugzilla.redhat.com/show_bug.cgi?id=1772025 though I'm not sure if we want to change the context or set a new allow rule.
Comment 3 Sofer Athlan-Guyot 2019-12-20 17:26:22 UTC 
Hi,

well sorry about this but I couldn't go deeper with that.  I think we can close that one and I will open specific bz for each issue found.

Thanks.
Comment 4 Julie Pichon 2020-01-02 09:19:53 UTC 
That sounds fair. Thank you for all your help!!