2039910 – [centos9] Missing openstack booleans possibly because of an error with container-selinux

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2039910 - [centos9] Missing openstack booleans possibly because of an error with container-selinux

Summary: [centos9] Missing openstack booleans possibly because of an error with contai...

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	container-selinux
Sub Component:
Version:	CentOS Stream
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-01-12 17:31 UTC by David Vallee Delisle
Modified:	2022-01-17 17:27 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-01-17 11:06:42 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-107613	0	None	None	None	2022-01-12 17:35:47 UTC

Description David Vallee Delisle 2022-01-12 17:31:17 UTC

Description of problem:
Missing the openstack booleans when running intial install of openstack-selinux

When we re-install openstack-selinux, we see post-script returning container errors [1]


Version-Release number of selected component (if applicable):
container-selinux-2.172.1-1.el9.noarch
openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch


How reproducible:
2/2 so far

Steps to Reproduce:
1. Deploy tripleo master branch
2. Computes with virt roles are not deploying 

Actual results:
SELinux boolean os_enable_vtpm does not exist.

Expected results:


Additional info:

[1]
~~~
[root@compute-1 yum.repos.d]# dnf reinstall openstack-selinux
Last metadata expiration check: 0:50:26 ago on Wed 12 Jan 2022 11:27:20 AM EST.
Dependencies resolved.
====================================================================================================================================================================================================================
 Package                                        Architecture                        Version                                                            Repository                                              Size
====================================================================================================================================================================================================================
Reinstalling:
 openstack-selinux                              noarch                              0.8.29-0.20211110070709.7211283.el9                                delorean-component-common                              221 k

Transaction Summary
====================================================================================================================================================================================================================

Total download size: 221 k
Installed size: 304 k
Is this ok [y/N]: y
Downloading Packages:
openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch.rpm                                                                                                                    671 kB/s | 221 kB     00:00    
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                               666 kB/s | 221 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                            1/1 
  Reinstalling     : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch                                                                                                                               1/2 
  Running scriptlet: openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch                                                                                                                               1/2 
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370
Failed to resolve AST
OSError: [Errno 0] Error

  Running scriptlet: openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch                                                                                                                               2/2 
  Cleanup          : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch                                                                                                                               2/2 
  Verifying        : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch                                                                                                                               1/2 
  Verifying        : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch                                                                                                                               2/2 

Reinstalled:
  openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch                                                                                                                                                      

Complete!
[root@compute-1 yum.repos.d]# getsebool -a | grep ^os
os_barbican_write_pki --> off
os_cinder_use_nfs --> on
os_dnsmasq_dac_override --> off
os_enable_vtpm --> off
os_glance_dac_override --> on
os_glance_use_nfs --> on
os_glance_use_sudo --> on
os_gnocchi_use_nfs --> on
os_haproxy_dac_override --> on
os_httpd_wsgi --> on
os_keepalived_dac_override --> on
os_keystone_use_execmem --> on
os_neutron_dac_override --> off
os_neutron_use_execmem --> on
os_nova_use_execmem --> on
os_openvswitch_dac_override --> on
os_swift_use_execmem --> on
os_virtlog_dac_override --> on
os_virtlogd_use_nfs --> on
~~~

Comment 1 David Vallee Delisle 2022-01-12 18:50:38 UTC

[1]  I got the same error when reinstalling container-selinux.

Also this breaks deployment further down, now on the controllers [2]

It looks like it's related to this:
https://github.com/containers/podman/issues/3234


[1]
~~~
[root@controller-0 ~]# dnf reinstall container-selinux
Last metadata expiration check: 1:58:10 ago on Wed 12 Jan 2022 04:45:29 PM UTC.
Dependencies resolved.
============================================================================================================================================================================================================================================================================================================================================================================================================================================
 Package                                                                                                   Architecture                                                                                   Version                                                                                                    Repository                                                                                                        Size
============================================================================================================================================================================================================================================================================================================================================================================================================================================
Reinstalling:
 container-selinux                                                                                         noarch                                                                                         3:2.172.1-1.el9                                                                                            centos9-stream-appstream                                                                                          44 k

Transaction Summary
============================================================================================================================================================================================================================================================================================================================================================================================================================================

Total download size: 44 k
Installed size: 54 k
Is this ok [y/N]: y
Downloading Packages:
container-selinux-2.172.1-1.el9.noarch.rpm                                                                                                                                                                                                                                                                                                                                                                  118 kB/s |  44 kB     00:00    
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                                                                                                                                                                                                                       118 kB/s |  44 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                                                                                                                                                                                                                    1/1 
  Running scriptlet: container-selinux-3:2.172.1-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                           1/2 
  Reinstalling     : container-selinux-3:2.172.1-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                           1/2 
  Running scriptlet: container-selinux-3:2.172.1-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                           1/2 
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370
Failed to resolve AST
/usr/sbin/semodule:  Failed!

Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370
Failed to resolve AST
semodule:  Failed!

  Running scriptlet: container-selinux-3:2.172.1-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                           2/2 
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370
Failed to resolve AST
semodule:  Failed!

  Cleanup          : container-selinux-3:2.172.1-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                           2/2 
  Running scriptlet: container-selinux-3:2.172.1-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                           2/2 
  Verifying        : container-selinux-3:2.172.1-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                           1/2 
  Verifying        : container-selinux-3:2.172.1-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                           2/2 

Reinstalled:
  container-selinux-3:2.172.1-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                                                  

Complete!
~~~

[2]
~~~
[root@controller-0 ~]# podman logs mysql_data_ownership
dumb-init: error while loading shared libraries: libc.so.6: cannot change memory protections
time->Wed Jan 12 17:50:37 2022
type=PROCTITLE msg=audit(1642009837.117:16077): proctitle=64756D622D696E6974002D2D0062617368002D6563006966205B202D65202F7661722F6C69622F6D7973716C2F6D7973716C205D3B207468656E206578697420303B2066690A6563686F202D6520225C6E5B6D7973716C645D5C6E77737265705F70726F76696465723D6E6F6E6522203E3E202F6574632F6D792E636E660A6B
type=SYSCALL msg=audit(1642009837.117:16077): arch=c000003e syscall=10 success=no exit=-13 a0=7fc26b2b2000 a1=1cb000 a2=0 a3=802 items=0 ppid=46688 pid=46691 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="dumb-init" exe="/usr/bin/dumb-init" subj=system_u:system_r:container_t:s0:c247,c961 key=(null)
type=AVC msg=audit(1642009837.117:16077): avc:  denied  { read } for  pid=46691 comm="dumb-init" path="/usr/lib64/libc.so.6" dev="vda2" ino=125829561 scontext=system_u:system_r:container_t:s0:c247,c961 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
~~~

Comment 2 David Vallee Delisle 2022-01-12 19:02:28 UTC

So the error comes from local_settings.sh, exactly at the semanage import task [1]. I tried to import all these tasks individually but they all fail like this [2].

Not sure where to take it from there.

[1]
~~~
Installing OpenStack extra policies and setting booleans...
+ echo 'boolean -N -m --on virt_use_fusefs
        boolean -N -m --on glance_api_can_network
        boolean -N -m --on neutron_can_network
        boolean -N -m --on glance_use_fusefs
        boolean -N -m --on haproxy_connect_any
        boolean -N -m --on nis_enabled
        boolean -N -m --on rsync_full_access
        boolean -N -m --on rsync_client
        boolean -N -m --on virt_use_execmem
        boolean -N -m --on virt_use_nfs
        boolean -N -m --on daemons_enable_cluster_mode
        boolean -N -m --on glance_use_execmem
        boolean -N -m --on httpd_execmem
        boolean -N -m --on domain_kernel_load_modules
        boolean -N -m --on httpd_can_network_connect
        boolean -N -m --on swift_can_network
        boolean -N -m --on httpd_use_openstack
        boolean -N -m --on collectd_tcp_network_connect
        boolean -N -m --on domain_can_mmap_files
module -N -a /usr/share/selinux/packages/os-ovs.pp.bz2
module -N -a /usr/share/selinux/packages/os-swift.pp.bz2
module -N -a /usr/share/selinux/packages/os-nova.pp.bz2
module -N -a /usr/share/selinux/packages/os-neutron.pp.bz2
module -N -a /usr/share/selinux/packages/os-mysql.pp.bz2
module -N -a /usr/share/selinux/packages/os-glance.pp.bz2
module -N -a /usr/share/selinux/packages/os-rsync.pp.bz2
module -N -a /usr/share/selinux/packages/os-rabbitmq.pp.bz2
module -N -a /usr/share/selinux/packages/os-keepalived.pp.bz2
module -N -a /usr/share/selinux/packages/os-keystone.pp.bz2
module -N -a /usr/share/selinux/packages/os-haproxy.pp.bz2
module -N -a /usr/share/selinux/packages/os-mongodb.pp.bz2
module -N -a /usr/share/selinux/packages/os-ipxe.pp.bz2
module -N -a /usr/share/selinux/packages/os-redis.pp.bz2
module -N -a /usr/share/selinux/packages/os-cinder.pp.bz2
module -N -a /usr/share/selinux/packages/os-httpd.pp.bz2
module -N -a /usr/share/selinux/packages/os-gnocchi.pp.bz2
module -N -a /usr/share/selinux/packages/os-collectd.pp.bz2
module -N -a /usr/share/selinux/packages/os-virt.pp.bz2
module -N -a /usr/share/selinux/packages/os-dnsmasq.pp.bz2
module -N -a /usr/share/selinux/packages/os-octavia.pp.bz2
module -N -a /usr/share/selinux/packages/os-podman.pp.bz2
module -N -a /usr/share/selinux/packages/os-rsyslog.pp.bz2
module -N -a /usr/share/selinux/packages/os-pbis.pp.bz2
module -N -a /usr/share/selinux/packages/os-barbican.pp.bz2
module -N -a /usr/share/selinux/packages/os-logrotate.pp.bz2
module -N -a /usr/share/selinux/packages/os-certmonger.pp.bz2
module -N -a /usr/share/selinux/packages/os-timemaster.pp.bz2'
+ /sbin/semanage import -N
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370
Failed to resolve AST
OSError: [Errno 0] Error
~~~

[2]
~~~
root@controller-0 ~]# echo 'module -N -a /usr/share/selinux/packages/os-ovs.pp.bz2                                                                                                                                    
module -N -a /usr/share/selinux/packages/os-swift.pp.bz2                                        
module -N -a /usr/share/selinux/packages/os-nova.pp.bz2                                                                                                                                                                
module -N -a /usr/share/selinux/packages/os-neutron.pp.bz2                                                                                                                                                             
module -N -a /usr/share/selinux/packages/os-mysql.pp.bz2                                                                                                                                                               
module -N -a /usr/share/selinux/packages/os-glance.pp.bz2                                                                                                                                                              
module -N -a /usr/share/selinux/packages/os-rsync.pp.bz2                                                                                                                                                               
module -N -a /usr/share/selinux/packages/os-rabbitmq.pp.bz2                                                                                                                                                            
module -N -a /usr/share/selinux/packages/os-keepalived.pp.bz2                                                                                                                                                          
module -N -a /usr/share/selinux/packages/os-keystone.pp.bz2                                                                                                                                                            
module -N -a /usr/share/selinux/packages/os-haproxy.pp.bz2                                                                                                                                                             
module -N -a /usr/share/selinux/packages/os-mongodb.pp.bz2                                                                                                                                                             
module -N -a /usr/share/selinux/packages/os-ipxe.pp.bz2                                                                                                                                                                
module -N -a /usr/share/selinux/packages/os-redis.pp.bz2                                                                                                                                                               
module -N -a /usr/share/selinux/packages/os-cinder.pp.bz2                                                                                                                                                              
module -N -a /usr/share/selinux/packages/os-httpd.pp.bz2                                                                                                                                                               
module -N -a /usr/share/selinux/packages/os-gnocchi.pp.bz2                                                                                                                                                             
module -N -a /usr/share/selinux/packages/os-collectd.pp.bz2                                                                                                                                                            
module -N -a /usr/share/selinux/packages/os-virt.pp.bz2                                                                                                                                                                
module -N -a /usr/share/selinux/packages/os-dnsmasq.pp.bz2                                                                                                                                                             
module -N -a /usr/share/selinux/packages/os-octavia.pp.bz2                                                                                                                                                             
module -N -a /usr/share/selinux/packages/os-podman.pp.bz2                                                                                                                                                              
module -N -a /usr/share/selinux/packages/os-rsyslog.pp.bz2                                                                                                                                                             
module -N -a /usr/share/selinux/packages/os-pbis.pp.bz2                                                                                                                                                                
module -N -a /usr/share/selinux/packages/os-barbican.pp.bz2                                                                                                                                                            
module -N -a /usr/share/selinux/packages/os-logrotate.pp.bz2                                                                                                                                                           
module -N -a /usr/share/selinux/packages/os-certmonger.pp.bz2                                                                                                                                                          
module -N -a /usr/share/selinux/packages/os-timemaster.pp.bz2' | while read l;do echo $l; echo $l | semanage import -N;done                                                                                            
module -N -a /usr/share/selinux/packages/os-ovs.pp.bz2    
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370
Failed to resolve AST
OSError: [Errno 0] Error
module -N -a /usr/share/selinux/packages/os-swift.pp.bz2  
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370
Failed to resolve AST
OSError: [Errno 0] Error
[...]
~~~

Comment 3 Julie Pichon 2022-01-13 10:26:25 UTC

I think local_setting.sh is probably a red herring: openstack-selinux first installs a bunch of rules and then uses local_settings.sh to enable the new booleans it created. If the booleans don't exist because of the other issues, an error will be thrown.

I've been trying to reproduce the problem on a CentOS 9 environment to see if it might be possible to see which rule or symbol is missing in the container cil, but I'm not seeing a similar behaviour. container-selinux was preinstalled and reinstalls fine:

$ sudo dnf reinstall container-selinux 
[...]
Running transaction
  Preparing        :                                                                                1/1 
  Running scriptlet: container-selinux-3:2.172.1-1.el9.noarch                                       1/2 
  Reinstalling     : container-selinux-3:2.172.1-1.el9.noarch                                       1/2 
  Running scriptlet: container-selinux-3:2.172.1-1.el9.noarch                                       1/2 
  Cleanup          : container-selinux-3:2.172.1-1.el9.noarch                                       2/2 
  Running scriptlet: container-selinux-3:2.172.1-1.el9.noarch                                       2/2 
  Verifying        : container-selinux-3:2.172.1-1.el9.noarch                                       1/2 
  Verifying        : container-selinux-3:2.172.1-1.el9.noarch                                       2/2 

Reinstalled:
  container-selinux-3:2.172.1-1.el9.noarch


Then installing openstack-selinux from https://trunk.rdoproject.org/centos9-master/component/common/80/29/8029f4e1012ed261fe4ce4c3a6dff10817ec32d4_59fc4580/openstack-selinux-devel-0.8.29-0.20211110070709.7211283.el9.noarch.rpm also completes without errors:

$ sudo dnf install openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch.rpm 
Last metadata expiration check: 0:03:34 ago on Thu 13 Jan 2022 10:03:14.
Dependencies resolved.
========================================================================================================
 Package                Arch        Version                                     Repository         Size
========================================================================================================
Installing:
 openstack-selinux      noarch      0.8.29-0.20211110070709.7211283.el9         @commandline      221 k

Transaction Summary
========================================================================================================
Install  1 Package

Total size: 221 k
Installed size: 304 k
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                1/1 
  Installing       : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch                   1/1 
  Running scriptlet: openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch                   1/1 
  Verifying        : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch                   1/1 

Installed:
  openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch

Complete!


I wonder if there might be a conflict elsewhere?

$ rpm -qa | grep selinux | sort
container-selinux-2.172.1-1.el9.noarch
libselinux-3.3-2.el9.x86_64
libselinux-utils-3.3-2.el9.x86_64
openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch
python3-libselinux-3.3-2.el9.x86_64
rpm-plugin-selinux-4.16.1.3-9.el9.x86_64
selinux-policy-34.1.20-1.el9.noarch
selinux-policy-targeted-34.1.20-1.el9.noarch

I'm not running this in a container, though. The podman issue you linked to pointed to a configuration issue on labels... It may be worthwhile checking the file context of the directory where the containers are stored? Does this work after a restorecon?

Comment 4 David Vallee Delisle 2022-01-13 14:05:05 UTC

> $ rpm -qa | grep selinux | sort
> container-selinux-2.172.1-1.el9.noarch
> libselinux-3.3-2.el9.x86_64
> libselinux-utils-3.3-2.el9.x86_64
> openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch
> python3-libselinux-3.3-2.el9.x86_64
> rpm-plugin-selinux-4.16.1.3-9.el9.x86_64
> selinux-policy-34.1.20-1.el9.noarch
> selinux-policy-targeted-34.1.20-1.el9.noarch
> 

I tried to restorecon the whole / and I have the same error when I reinstall openstack-selinux.

I'm looking at the package list you have and it looks like, except for a few additional packages on my side, my lab has selinux-policy-34.1.22-1 as opposed to selinux-policy-34.1.20-1 on yours.

[heat-admin@compute-0 ~]$ rpm -qa | grep selinux | sort
container-selinux-2.172.1-1.el9.noarch
ipa-selinux-4.9.8-1.el9.noarch
libselinux-3.3-2.el9.x86_64
libselinux-ruby-3.3-2.el9.x86_64
libselinux-utils-3.3-2.el9.x86_64
openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch
openvswitch-selinux-extra-policy-1.0-30.el9s.noarch
pcp-selinux-5.3.5-3.el9.x86_64
python3-libselinux-3.3-2.el9.x86_64
rpm-plugin-selinux-4.16.1.3-9.el9.x86_64
selinux-policy-34.1.22-1.el9.noarch
selinux-policy-targeted-34.1.22-1.el9.noarch

Comment 5 David Vallee Delisle 2022-01-13 16:18:09 UTC

Looking at the changelog for selinux-policy between .20 and .22 and I don't see anything that jumps

Changelogs for selinux-policy-34.1.22-1.el9.noarch
* Tue Jan 11 12:00:00 AM 2022 Zdenek Pytela <zpytela> - 34.1.22-1
- Allow sshd read filesystem sysctl files
Resolves: rhbz#2036585
- Revert "Allow sshd read sysctl files"
Resolves: rhbz#2036585

* Mon Jan 10 12:00:00 AM 2022 Zdenek Pytela <zpytela> - 34.1.21-1
- Remove the lockdown class from the policy
Resolves: rhbz#2017848
- Revert "define lockdown class and access"
Resolves: rhbz#2017848
- Allow gssproxy access to various system files.
Resolves: rhbz#2026974
- Allow gssproxy read, write, and map ica tmpfs files
Resolves: rhbz#2026974
- Allow gssproxy read and write z90crypt device
Resolves: rhbz#2026974
- Allow sssd_kcm read and write z90crypt device
Resolves: rhbz#2026974
- Allow abrt_domain read and write z90crypt device
Resolves: rhbz#2026974
- Allow NetworkManager read and write z90crypt device
Resolves: rhbz#2026974
- Allow smbcontrol read the network state information
Resolves: rhbz#2038157
- Allow virt_domain map vhost devices
Resolves: rhbz#2035702
- Allow fcoemon request the kernel to load a module
Resolves: rhbz#2034463
- Allow lldpd connect to snmpd with a unix domain stream socket
Resolves: rhbz#2033315
- Allow ModemManager create a qipcrtr socket
Resolves: rhbz#2036582
- Allow ModemManager request to load a kernel module
Resolves: rhbz#2036582
- Allow sshd read sysctl files

Comment 6 David Vallee Delisle 2022-01-13 16:40:39 UTC

I really think it's a change in selinux-policy or the targeted one that breaks this. On the undercloud, we have 34.1.20-1 and it works fine [1] as opposed to 34.1.22-1 on the compute [2]

I just diffed the source packages [3] and we removed this line from container.te. That's the only thing I can see:
allow container_runtime_domain self:lockdown { confidentiality integrity };

This is the related commit [a]


[a] https://github.com/containers/container-selinux/commit/84d09cedf2dae8193d956e04a8abc7ef15b95f51

[1]
~~~
[stack@undercloud-0 ~]$ rpm -qa | grep selinux
libselinux-3.3-2.el9.x86_64
libselinux-utils-3.3-2.el9.x86_64
python3-libselinux-3.3-2.el9.x86_64
rpm-plugin-selinux-4.16.1.3-7.el9.x86_64
selinux-policy-34.1.20-1.el9.noarch
selinux-policy-targeted-34.1.20-1.el9.noarch
pcp-selinux-5.3.5-3.el9.x86_64
container-selinux-2.173.0-1.el9.noarch
openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch
libselinux-ruby-3.3-2.el9.x86_64
openvswitch-selinux-extra-policy-1.0-30.el9s.noarch
ipa-selinux-4.9.8-1.el9.noarch
[stack@undercloud-0 ~]$ echo "module -N -a /usr/share/selinux/packages/os-nova.pp.bz2" | sudo semanage import -N
~~~

[2]
~~~
[root@compute-0 ~]# rpm -qa | grep selinux-policy
selinux-policy-34.1.22-1.el9.noarch
selinux-policy-targeted-34.1.22-1.el9.noarch
[root@compute-0 ~]# echo "module -N -a /usr/share/selinux/packages/os-nova.pp.bz2" | sudo semanage import -N
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370
Failed to resolve AST
OSError: [Errno 0] Error
~~~

[3]
~~~
diff -r selinux-policy-34.1.20-1.el9.src/container.fc selinux-policy-34.1.22-1.el9.src/container.fc
38,39d37
< /usr/bin/k3s          --      gen_context(system_u:object_r:container_runtime_exec_t,s0)
< /usr/local/bin/k3s            --      gen_context(system_u:object_r:container_runtime_exec_t,s0)
44d41
< /usr/lib/systemd/system/k3s.*         --      gen_context(system_u:object_r:container_unit_file_t,s0)
112,120d108
< /var/lib/rancher/k3s(/.*)?                                                    gen_context(system_u:object_r:container_var_lib_t,s0)
< /var/lib/rancher/k3s/data(/.*)?                                                       gen_context(system_u:object_r:container_runtime_exec_t,s0)
< /var/lib/rancher/k3s/storage(/.*)?                                            gen_context(system_u:object_r:container_file_t,s0)
< /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots                 -d      gen_context(system_u:object_r:container_share_t,s0)
< /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*           -d      gen_context(system_u:object_r:container_share_t,s0)
< /var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.*                        <<none>>
< /var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)?                   gen_context(system_u:object_r:container_share_t,s0)
< /var/lib/rancher/k3s/data/.lock                                     gen_context(system_u:object_r:container_lock_t,s0)
< /var/lib/rancher/k3s/data/[^/]*/etc(/.*)?                           gen_context(system_u:object_r:container_config_t,s0)
122,123d109
< /var/run/k3s(/.*)?                                                            gen_context(system_u:object_r:container_var_run_t,s0)
< /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)?                               gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
Binary files selinux-policy-34.1.20-1.el9.src/container-selinux.tgz and selinux-policy-34.1.22-1.el9.src/container-selinux.tgz differ
diff -r selinux-policy-34.1.20-1.el9.src/container.te selinux-policy-34.1.22-1.el9.src/container.te
1c1
< policy_module(container, 2.172.0)
---
> policy_module(container, 2.173.0)
118d117
< allow container_runtime_domain self:lockdown { confidentiality integrity };
Only in selinux-policy-34.1.20-1.el9.src: selinux-policy-0b4c1a7aa0be1129efd7e7749100734416a3a10d
Only in selinux-policy-34.1.20-1.el9.src: selinux-policy-0b4c1a7.tar.gz
Only in selinux-policy-34.1.22-1.el9.src: selinux-policy-141c3fde08c02097e0b6fa179a33cc17371e9a22
Only in selinux-policy-34.1.22-1.el9.src: selinux-policy-141c3fd.tar.gz
Only in selinux-policy-34.1.20-1.el9.src: selinux-policy-34.1.20-1.el9.src.rpm
Only in selinux-policy-34.1.22-1.el9.src: selinux-policy-34.1.22-1.el9.src.rpm
diff -r selinux-policy-34.1.20-1.el9.src/selinux-policy.spec selinux-policy-34.1.22-1.el9.src/selinux-policy.spec
3c3
< %global commit 0b4c1a7aa0be1129efd7e7749100734416a3a10d
---
> %global commit 141c3fde08c02097e0b6fa179a33cc17371e9a22
26c26
< Version: 34.1.20
---
> Version: 34.1.22
794a795,832
~~~

Comment 7 David Vallee Delisle 2022-01-13 17:26:15 UTC

Did another test and I downgraded the selinux-policy package to .20-1 [1]. This returned the same error as when we install openstack-selinux.

But when I installed openstack-selinux after this, I didn't get the same error [2]. 

[1]
~~~
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Running scriptlet: selinux-policy-targeted-34.1.20-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                       1/1
  Preparing        :                                                                                                                                                                                                                                                                                                                                                                                                                    1/1
  Downgrading      : selinux-policy-34.1.20-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                                1/4
  Running scriptlet: selinux-policy-34.1.20-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                                1/4
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:370
Failed to resolve AST
/usr/sbin/semodule:  Failed!

  Running scriptlet: selinux-policy-targeted-34.1.20-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                       2/4
  Downgrading      : selinux-policy-targeted-34.1.20-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                       2/4
  Running scriptlet: selinux-policy-targeted-34.1.20-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                       2/4
  Cleanup          : selinux-policy-34.1.22-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                                3/4
  Running scriptlet: selinux-policy-34.1.22-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                                3/4
  Cleanup          : selinux-policy-targeted-34.1.22-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                       4/4
  Running scriptlet: selinux-policy-targeted-34.1.22-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                       4/4
  Running scriptlet: selinux-policy-targeted-34.1.20-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                       4/4
  Running scriptlet: selinux-policy-targeted-34.1.22-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                       4/4
  Verifying        : selinux-policy-34.1.20-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                                1/4
  Verifying        : selinux-policy-34.1.22-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                                2/4
  Verifying        : selinux-policy-targeted-34.1.20-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                       3/4
  Verifying        : selinux-policy-targeted-34.1.22-1.el9.noarch                                                                                                                                                                                                                                                                                                                                                                       4/4

Downgraded:
  selinux-policy-34.1.20-1.el9.noarch                                                                                                                                                                              selinux-policy-targeted-34.1.20-1.el9.noarch

Complete!

~~~

[2]
~~~
[root@compute-0 ~]# dnf reinstall openstack-selinux
Last metadata expiration check: 0:19:38 ago on Thu 13 Jan 2022 12:03:40 PM EST.
Dependencies resolved.
============================================================================================================================================================================================================================================================================================================================================================================================================================================
 Package                                                                                              Architecture                                                                              Version                                                                                                                  Repository                                                                                                    Size
============================================================================================================================================================================================================================================================================================================================================================================================================================================
Reinstalling:
 openstack-selinux                                                                                    noarch                                                                                    0.8.29-0.20211110070709.7211283.el9                                                                                      delorean-component-common                                                                                    221 k

Transaction Summary
============================================================================================================================================================================================================================================================================================================================================================================================================================================

Total download size: 221 k
Installed size: 304 k
Is this ok [y/N]: y
Downloading Packages:
openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch.rpm                                                                                                                                                                                                                                                                                                                                            143 kB/s | 221 kB     00:01
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                                                                                                                                                                                                                       143 kB/s | 221 kB     00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                                                                                                                                                                                                                                                    1/1
  Reinstalling     : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch                                                                                                                                                                                                                                                                                                                                                       1/2
  Running scriptlet: openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch                                                                                                                                                                                                                                                                                                                                                       1/2
  Running scriptlet: openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch                                                                                                                                                                                                                                                                                                                                                       2/2
  Cleanup          : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch                                                                                                                                                                                                                                                                                                                                                       2/2
  Verifying        : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch                                                                                                                                                                                                                                                                                                                                                       1/2
  Verifying        : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch                                                                                                                                                                                                                                                                                                                                                       2/2

Reinstalled:
  openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch

Complete!
~~~

Comment 8 David Vallee Delisle 2022-01-13 20:52:29 UTC

So if we upgrade to -22 and then downgrade to -20, we still don't see the os_* booleans. I was able to solve this issue by excluding selinux-policy* from the global upgrade command.

Because a commit is worth a 1000 words: https://gitlab.cee.redhat.com/osp17/rhel9-playground/-/commit/e016f8e94ea4a309d545c7232037016b1f37eeeb

Comment 9 Cédric Jeanneret 2022-01-17 10:52:04 UTC

Hello there,

I just deployed the following UC: master, on cs9. It gives the following packages:
- openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch
- container-selinux-2.173.0-1.el9.noarch
- kernel-5.14.0-41.el9.x86_64
- selinux-policy-34.1.22-1.el9.noarch


I get my booleans:
[CentOS-9 - stack@undercloud ~]$ getsebool -a | grep ^os
os_barbican_write_pki --> off
os_cinder_use_nfs --> on
os_dnsmasq_dac_override --> off
os_enable_vtpm --> off
os_glance_dac_override --> on
os_glance_use_nfs --> on
os_glance_use_sudo --> on
os_gnocchi_use_nfs --> on
os_haproxy_dac_override --> on
os_httpd_wsgi --> on
os_keepalived_dac_override --> on
os_keystone_use_execmem --> on
os_neutron_dac_override --> off
os_neutron_use_execmem --> on
os_nova_use_execmem --> on
os_openvswitch_dac_override --> on
os_swift_use_execmem --> on
os_virtlog_dac_override --> on
os_virtlogd_use_nfs --> on

UC deploy successful, with enforced SELinux.

So it seems to be solved, at least for upstream? WOuld be good to get a second confirmation, just to be sure.

Here's how I deployed:

ansible-playbook -i inventory-builder2.yaml builder.yaml -e @environments/vm-centos9.yaml -e @local_env/centos-stream.yaml -e @local_env/master9.yaml -e @local_env/1ctl.yaml -e @local_env/colleagues-keys.yaml -e overcloud_image_update=false -e @local_env/lab2.yaml -t lab -e @local_env/overcloud.yaml

It uses the following repository versions: tripleo-ci-testing
And injects the following package repositories for the OS:
undercloud_custom_repositories:
  - name: custom-BaseOS
    file: centos-base
    uri: http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os
    priority: 100
  - name: custom-appstreams
    file: centos-appstreams
    uri: http://mirror.stream.centos.org/9-stream/AppStream/x86_64/os
    priority: 100
  - name: custom-crb
    file: centos-crb
    uri: http://mirror.stream.centos.org/9-stream/CRB/x86_64/os
    priority: 100
  - name: custom-ha
    file: centos-ha
    uri: http://mirror.stream.centos.org/9-stream/HighAvailability/x86_64/os
    priority: 100

Note that this exact same command was failing last week - so, at least on my side, the SELinux issue is over (and I can work on the next one on my list :)).

Cheers, 

C.

Comment 10 Jindrich Novy 2022-01-17 11:06:42 UTC

Thanks for the confirmation Cédric!

Comment 11 David Vallee Delisle 2022-01-17 17:27:59 UTC

For the record, I used the latest version of the centos9 image and I don't have the issue anymore.

Note You need to log in before you can comment on or make changes to this bug.