1902272 – fapolicyd breaks RHV-M JBoss deployments

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1902272 - fapolicyd breaks RHV-M JBoss deployments

Summary: fapolicyd breaks RHV-M JBoss deployments

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	fapolicyd
Sub Component:
Version:	8.3
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	8.0
Assignee:	Radovan Sroka
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2015796
TreeView+	depends on / blocked

Reported:	2020-11-27 14:36 UTC by Juan Orti
Modified:	2022-07-22 09:05 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-07-22 09:04:53 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	5605451	0	None	None	None	2020-11-27 14:36:14 UTC

Description Juan Orti 2020-11-27 14:36:14 UTC

Description of problem:
In a fully updated RHEL 8.3 used as RHV Manager, fapolicyd breaks the JBoss deployments of the RHV-M applications and users get a HTTP 404 error.

Version-Release number of selected component (if applicable):
fapolicyd-1.0-3.el8_3.2.x86_64
ovirt-engine-4.4.3.12-0.1.el8ev.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL 8.3
2. Follow these instructions to install a standalone RHV Manager:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/installing_red_hat_virtualization_as_a_standalone_manager_with_local_databases/installing_the_red_hat_virtualization_manager_sm_localdb_deploy

3. After running engine-setup to configure RHV-M, verify that the administration portal works:

# curl -kv https://RHVM_FQDN/ovirt-engine/

4. Install and enable fapolicyd:

# yum install -y fapolicyd
# systemctl enable --now fapolicyd

5. Restart the RHV-M services:

# systemctl restart httpd ovirt-engine

Actual results:
Users get a HTTP 404 error when accessing the administration portal.

Expected results:
No errors.

Additional info:
JBoss throws errors of files not found:

/var/log/ovirt-engine/server.log:
~~~
2020-11-27 15:19:41,702+01 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service jboss.deployment.subunit."engine.ear"."webadmin.war".STRUCTURE: org.jboss.msc.service.StartException in service jboss.deployment.subunit."engine.ear"."webadmin.war".STRUCTURE: WFLYSRV0153: Failed to process phase STRUCTURE of subdeployment "webadmin.war" of deployment "engine.ear"
        at org.jboss.as.server.12.SP1-redhat-00001//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:183)
        at org.jboss.msc.11.Final-redhat-00001//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
        at org.jboss.msc.11.Final-redhat-00001//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
        at org.jboss.msc.11.Final-redhat-00001//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
        at org.jboss.threads.3.Final-redhat-00001//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
        at org.jboss.threads.3.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
        at org.jboss.threads.3.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
        at org.jboss.threads.3.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363)
        at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: org.jboss.as.server.deployment.DeploymentUnitProcessingException: WFLYUT0048: Failed to process WEB-INF/lib: "/var/lib/ovirt-engine/jboss_runtime/deployments/engine.ear/webadmin.war/WEB-INF/lib/gwt-servlet.jar"
        at org.wildfly.extension.undertow.3.GA-redhat-00004//org.wildfly.extension.undertow.deployment.WarStructureDeploymentProcessor.deploy(WarStructureDeploymentProcessor.java:128)
        at org.jboss.as.server.12.SP1-redhat-00001//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:176)
        ... 8 more
Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: WFLYUT0048: Failed to process WEB-INF/lib: "/var/lib/ovirt-engine/jboss_runtime/deployments/engine.ear/webadmin.war/WEB-INF/lib/gwt-servlet.jar"
        at org.wildfly.extension.undertow.3.GA-redhat-00004//org.wildfly.extension.undertow.deployment.WarStructureDeploymentProcessor.createResourceRoots(WarStructureDeploymentProcessor.java:230)
        at org.wildfly.extension.undertow.3.GA-redhat-00004//org.wildfly.extension.undertow.deployment.WarStructureDeploymentProcessor.deploy(WarStructureDeploymentProcessor.java:123)
        ... 9 more
Caused by: java.io.FileNotFoundException: /var/lib/ovirt-engine/jboss_runtime/deployments/engine.ear/webadmin.war/WEB-INF/lib/gwt-servlet.jar (Operation not permitted)
        at java.base/java.io.FileInputStream.open0(Native Method)
        at java.base/java.io.FileInputStream.open(FileInputStream.java:219)
        at java.base/java.io.FileInputStream.<init>(FileInputStream.java:157)
        at org.jboss.vfs.15.Final-redhat-00001//org.jboss.vfs.spi.RootFileSystem.openInputStream(RootFileSystem.java:51)
        at org.jboss.vfs.15.Final-redhat-00001//org.jboss.vfs.VirtualFile.openStream(VirtualFile.java:318)
        at org.jboss.vfs.15.Final-redhat-00001//org.jboss.vfs.VFS.mountZip(VFS.java:410)
        at org.wildfly.extension.undertow.3.GA-redhat-00004//org.wildfly.extension.undertow.deployment.WarStructureDeploymentProcessor.createResourceRoots(WarStructureDeploymentProcessor.java:222)
        ... 10 more
2020-11-27 15:19:42,690+01 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "engine.ear")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.subunit.\"engine.ear\".\"webadmin.war\".STRUCTURE" => "WFLYSRV0153: Failed to process phase STRUCTURE of subdeployment \"webadmin.war\" of deployment \"engine.ear\"
    Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: org.jboss.as.server.deployment.DeploymentUnitProcessingException: WFLYUT0048: Failed to process WEB-INF/lib: \"/var/lib/ovirt-engine/jboss_runtime/deployments/engine.ear/webadmin.war/WEB-INF/lib/gwt-servlet.jar\"
    Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: WFLYUT0048: Failed to process WEB-INF/lib: \"/var/lib/ovirt-engine/jboss_runtime/deployments/engine.ear/webadmin.war/WEB-INF/lib/gwt-servlet.jar\"
    Caused by: java.io.FileNotFoundException: /var/lib/ovirt-engine/jboss_runtime/deployments/engine.ear/webadmin.war/WEB-INF/lib/gwt-servlet.jar (Operation not permitted)"}}
2020-11-27 15:19:42,691+01 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "restapi.war")]) - failure description: {
    "WFLYCTL0412: Required services that are not installed:" => ["jboss.naming.context.java.global.engine.bll.\"Backend!org.ovirt.engine.core.common.interfaces.BackendLocal\""],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => [
        "jboss.naming.context.java.module.restapi.restapi.env.\"org.ovirt.engine.core.utils.servlet.CORSSupportFilter\".backend is missing [jboss.naming.context.java.global.engine.bll.\"Backend!org.ovirt.engine.core.common.interfaces.BackendLocal\"]",
        "jboss.naming.context.java.module.restapi.restapi.env.\"org.ovirt.engine.api.restapi.invocation.CurrentFilter\".backend is missing [jboss.naming.context.java.global.engine.bll.\"Backend!org.ovirt.engine.core.common.interfaces.BackendLocal\"]",
        "jboss.naming.context.java.module.restapi.restapi.env.\"org.ovirt.engine.api.restapi.invocation.VersionFilter\".backend is missing [jboss.naming.context.java.global.engine.bll.\"Backend!org.ovirt.engine.core.common.interfaces.BackendLocal\"]"
    ]
}
~~~

Comment 9 Thorsten Scherf 2021-06-18 08:00:06 UTC

Setting NEEDINFO on mtessun

Comment 10 Artur Socha 2021-11-04 09:00:42 UTC

Hi, 
I have just learned about this BZ and in meantime I was trying adapt RHV-M (ovirt-engine) to work with fapolicyd. 

I could not find a way how to nicely inject new rule allowing access to that generated tmp directory so I ended up with very sub-optimal approach (parsing /etc/fapolicyd/fapolicyd.rules to find the exact place where to put relevant rule). 

I fully agree that the desired approach would be to 'trust' tmp content, however, the 'generation' takes place during Wildfly/EAP server startup which itself is quite problematic to hack around. 

I have 2 things I would like to ask you about:

1) My original understanding of default rules configuration was that there is no destination where we could move that tmp directory to so that it was not affected by default setup. Could you please confirm that? I hope I was wrong because then the reconfiguration of Wildfly/EAP  tmp from '/var/lib/../tmp' to some '/tmp' (or any other 'accessible' location) is easily doable on our side.

2) If point 1 is not applicable, would it be possible to implement on your end a support for partial configuration ie. /etc/fapolicyd/conf.d/50-some-custom-rules.conf  and release it with RHEL 8.6?

thanks,
Artur

Comment 14 Sandro Bonazzola 2022-05-16 11:36:24 UTC

Artur is fapolicyd still breaking engine?

Comment 15 Martin Perina 2022-05-16 12:33:43 UTC

(In reply to Sandro Bonazzola from comment #14)
> Artur is fapolicyd still breaking engine?

AFAIK all necessary fixes has been done in BZ2015796 and by the release of fapolicyd-1.1-6 in RHEL 8.6.0, so RHV 4.4 SP1 running on DISA STIG enabled host should work fine

Comment 16 Sandro Bonazzola 2022-07-18 11:40:45 UTC

Dropping flag on RHV as dependent product according to comment #15
I think this can be closed then.

Comment 17 Radovan Sroka 2022-07-19 09:22:00 UTC

Can we close this?

Comment 18 Martin Perina 2022-07-22 09:00:29 UTC

(In reply to Radovan Sroka from comment #17)
> Can we close this?

Feel free to close this bug, RHV 4.4 SP1 is now working fine with fapolicyd as described in BZ2015796.

Note You need to log in before you can comment on or make changes to this bug.