1765910 – Load balancer goes into ERROR on listener create (SELinux AVCs)

Bug 1765910 - Load balancer goes into ERROR on listener create (SELinux AVCs)

Summary: Load balancer goes into ERROR on listener create (SELinux AVCs)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	16.0 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	16.0 (Train on RHEL 8.1)
Assignee:	Gregory Thiemonge
QA Contact:	Bruna Bonguardo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-27 09:56 UTC by Carlos Goncalves
Modified:	2020-02-06 14:43 UTC (History)
CC List:	10 users (show)
Fixed In Version:	openstack-selinux-0.8.20-0.20191105125849.6578483.el8ost
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-02-06 14:42:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	redhat-openstack openstack-selinux pull 44	0	'None'	closed	Adds new policies for Octavia amphora with RHEL8.1	2021-02-06 16:17:06 UTC
Red Hat Product Errata	RHEA-2020:0283	0	None	None	None	2020-02-06 14:43:30 UTC

Description Carlos Goncalves 2019-10-27 09:56:28 UTC

Load balancer goes into ERROR on listener create. The error message in the Worker service hints that something went wrong in the amphora. Looking to the journal of the amphora instance, one can see warnings of NetworkManager not being able to open file /etc/sysconfig/network-scripts/ifcfg-eth1 and mount permission denied. These are due to SELinux AVCs.


Version-Release number of selected component (if applicable):
RHOS_TRUNK-16.0-RHEL-8-20191007.n.0

How reproducible:
100%

Steps to Reproduce:
1. Create load balancer and wait for ACTIVE operational status
2. Create listener (TCP:80 is good enough)
3. Observe load balancer and listener go into ERROR

Actual results:

Oct 26 11:06:20 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc awk[1640]: WARN      : [ifup] You are using 'ifup' script provided by 'network-scripts', which are now deprecated.
Oct 26 11:06:20 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc ifup[1649]: You are using 'ifup' script provided by 'network-scripts', which are now deprecated.
Oct 26 11:06:20 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc awk[1640]: WARN      : [ifup] 'network-scripts' will be removed in one of the next major releases of RHEL.
Oct 26 11:06:20 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc ifup[1650]: 'network-scripts' will be removed in one of the next major releases of RHEL.
Oct 26 11:06:20 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc awk[1640]: WARN      : [ifup] It is advised to switch to 'NetworkManager' instead - it provides 'ifup/ifdown' scripts as well.
Oct 26 11:06:20 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc ifup[1651]: It is advised to switch to 'NetworkManager' instead - it provides 'ifup/ifdown' scripts as well.
Oct 26 11:06:20 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc NetworkManager[780]: <warn>  [1572102380.2425] ifcfg-rh: loading "/etc/sysconfig/network-scripts/ifcfg-eth1" fails: Could not read file '/etc/sysconfig/network-scripts/ifcfg-eth1': No such file or directory
Oct 26 11:06:20 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc NetworkManager[780]: <warn>  [1572102380.3765] ifcfg-rh: loading "/etc/sysconfig/network-scripts/ifcfg-eth1" fails: Could not read file '/etc/sysconfig/network-scripts/ifcfg-eth1': No such file or directory
Oct 26 11:06:20 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc NetworkManager[780]: <warn>  [1572102380.6253] ifcfg-rh: loading "/etc/sysconfig/network-scripts/ifcfg-eth1" fails: Could not read file '/etc/sysconfig/network-scripts/ifcfg-eth1': No such file or directory
Oct 26 11:06:20 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc awk[1640]: ERROR     : [/etc/sysconfig/network-scripts/ifup-ipv6] Global IPv6 forwarding is disabled in configuration, but not currently disabled in kernel
Oct 26 11:06:20 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc /etc/sysconfig/network-scripts/ifup-ipv6[1697]: Global IPv6 forwarding is disabled in configuration, but not currently disabled in kernel
Oct 26 11:06:20 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc awk[1640]: ERROR     : [/etc/sysconfig/network-scripts/ifup-ipv6] Please restart network with '/sbin/service network restart'
Oct 26 11:06:20 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc /etc/sysconfig/network-scripts/ifup-ipv6[1698]: Please restart network with '/sbin/service network restart'
Oct 26 11:06:20 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc NetworkManager[780]: <warn>  [1572102380.9332] ifcfg-rh: loading "/etc/sysconfig/network-scripts/ifcfg-eth1" fails: Could not read file '/etc/sysconfig/network-scripts/ifcfg-eth1': No such file or directory
Oct 26 11:06:21 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Started Configure amphora-haproxy network namespace.
Oct 26 11:06:21 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Starting HAProxy Load Balancer...
Oct 26 11:06:21 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc ip[1737]: mount of /sys failed: Permission denied
Oct 26 11:06:21 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Main process exited, code=exited, status=1/FAILURE
Oct 26 11:06:21 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Failed with result 'exit-code'.
Oct 26 11:06:21 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Failed to start HAProxy Load Balancer.
Oct 26 11:06:21 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc amphora-agent[1079]: 2019-10-26 11:06:21.408 1079 DEBUG octavia.amphorae.backends.agent.api_server.loadbalancer [-] Failed to start haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2 
service: Command '['/usr/sbin/service', 'haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2', 'start']' returned non-zero exit status 1. b'Redirecting to /bin/systemctl start haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service\nJob for haproxy
-1c37e27e-914a-4e44-a30e-8814e03f04f2.service failed because the control process exited with error code.\nSee "systemctl status haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service" and "journalctl -xe" for details.\n' start_stop_lb /usr/
lib/python3.6/site-packages/octavia/amphorae/backends/agent/api_server/loadbalancer.py:261
Oct 26 11:06:21 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc amphora-agent[990]: 2019-10-26 11:06:21.408 1079 DEBUG octavia.amphorae.backends.agent.api_server.loadbalancer [-] Failed to start haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2 s
ervice: Command '['/usr/sbin/service', 'haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2', 'start']' returned non-zero exit status 1. b'Redirecting to /bin/systemctl start haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service\nJob for haproxy-
1c37e27e-914a-4e44-a30e-8814e03f04f2.service failed because the control process exited with error code.\nSee "systemctl status haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service" and "journalctl -xe" for details.\n' start_stop_lb /usr/l
ib/python3.6/site-packages/octavia/amphorae/backends/agent/api_server/loadbalancer.py:261
Oct 26 11:06:21 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Service RestartSec=100ms expired, scheduling restart.
Oct 26 11:06:21 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Scheduled restart job, restart counter is at 1.
Oct 26 11:06:21 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Stopped HAProxy Load Balancer.
Oct 26 11:06:21 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Starting HAProxy Load Balancer...
Oct 26 11:06:21 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc ip[1742]: mount of /sys failed: Permission dThe error is caused by an eenied
Oct 26 11:06:21 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Main process exited, code=exited, status=1/FAILURE
Oct 26 11:06:21 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Failed with result 'exit-code'.
Oct 26 11:06:21 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Failed to start HAProxy Load Balancer.
Oct 26 11:06:22 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Service RestartSec=100ms expired, scheduling restart.
Oct 26 11:06:22 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Scheduled restart job, restart counter is at 2.
Oct 26 11:06:22 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Stopped HAProxy Load Balancer.
Oct 26 11:06:22 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Starting HAProxy Load Balancer...
Oct 26 11:06:22 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc ip[1745]: mount of /sys failed: Permission denied
Oct 26 11:06:22 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Main process exited, code=exited, status=1/FAILURE
Oct 26 11:06:22 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Failed with result 'exit-code'.
Oct 26 11:06:22 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Failed to start HAProxy Load Balancer.
Oct 26 11:06:22 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Service RestartSec=100ms expired, scheduling restart.
Oct 26 11:06:22 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Scheduled restart job, restart counter is at 3.
Oct 26 11:06:22 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Stopped HAProxy Load Balancer.
Oct 26 11:06:22 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Starting HAProxy Load Balancer...
Oct 26 11:06:22 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc ip[1752]: mount of /sys failed: Permission denied
Oct 26 11:06:22 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Main process exited, code=exited, status=1/FAILURE
Oct 26 11:06:22 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Failed with result 'exit-code'.
Oct 26 11:06:22 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Failed to start HAProxy Load Balancer.
Oct 26 11:06:23 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Service RestartSec=100ms expired, scheduling restart.
Oct 26 11:06:23 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Scheduled restart job, restart counter is at 4.
Oct 26 11:06:23 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Stopped HAProxy Load Balancer.
Oct 26 11:06:23 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Starting HAProxy Load Balancer...
Oct 26 11:06:23 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc ip[1755]: mount of /sys failed: Permission denied
Oct 26 11:06:23 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Main process exited, code=exited, status=1/FAILURE
Oct 26 11:06:23 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Failed with result 'exit-code'.
Oct 26 11:06:23 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Failed to start HAProxy Load Balancer.
Oct 26 11:06:23 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Service RestartSec=100ms expired, scheduling restart.
Oct 26 11:06:23 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Scheduled restart job, restart counter is at 5.
Oct 26 11:06:23 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Stopped HAProxy Load Balancer.
Oct 26 11:06:23 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Start request repeated too quickly.
Oct 26 11:06:23 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: haproxy-1c37e27e-914a-4e44-a30e-8814e03f04f2.service: Failed with result 'exit-code'.
Oct 26 11:06:23 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Failed to start HAProxy Load Balancer.
Oct 26 11:06:23 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: amphora-netns.service: Unit not needed anymore. Stopping.
Oct 26 11:06:23 amphora-cb8ebf5c-0927-4675-8048-5cea193a0fcc systemd[1]: Stopped Configure amphora-haproxy network namespace.


File /var/log/audit/audit.log:

type=AVC msg=audit(1572103537.454:113): avc:  denied  { read } for  pid=1752 comm="ip" dev="nsfs" ino=4026531992 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=file permissive=1
type=AVC msg=audit(1572103537.454:113): avc:  denied  { open } for  pid=1752 comm="ip" path="net:[4026531992]" dev="nsfs" ino=4026531992 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=file permissive=1

Comment 4 Gregory Thiemonge 2019-10-30 13:57:41 UTC

Another denied permission:

type=AVC msg=audit(1572356953.842:84): avc:  denied  { mounton } for  pid=4491 comm="ip" path="/sys" dev="vda1" ino=509 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0

Comment 6 Gregory Thiemonge 2019-11-05 08:00:57 UTC

Pull-request: https://github.com/redhat-openstack/openstack-selinux/pull/44

Comment 11 errata-xmlrpc 2020-02-06 14:42:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:0283

Note You need to log in before you can comment on or make changes to this bug.