2123318 – icmp health monitors are broken in rhosp16.1

Bug 2123318 - icmp health monitors are broken in rhosp16.1

Summary: icmp health monitors are broken in rhosp16.1

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-octavia
Sub Component:
Version:	16.2 (Train)
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	z4
Target Release:	16.2 (Train on RHEL 8.4)
Assignee:	Gregory Thiemonge
QA Contact:	Bruna Bonguardo
Docs Contact:
URL:
Whiteboard:
Depends On:	2096387
Blocks:	2125610
TreeView+	depends on / blocked

Reported:	2022-09-01 11:35 UTC by Gregory Thiemonge
Modified:	2022-12-20 15:33 UTC (History)
CC List:	11 users (show)
Fixed In Version:	openstack-selinux-0.8.35-2.20220817085629.c5a2896.el8ost openstack-octavia-5.1.3-2.20220906164817.2e0a650.el8ost
Doc Type:	Bug Fix
Doc Text:	Before this update, an SELinux issue triggered errors with Red Hat OpenStack Platform (RHOSP) Load-balancing service (octavia) ICMP health monitors that used the amphora provider driver. In RHOSP 16.2.4, this issue has been fixed and ICMP health monitors function properly.
Clone Of:	2096387
Clones:	2125610 (view as bug list)
Environment:
Last Closed:	2022-12-07 19:24:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	853999	None	MERGED	Apply openstack-selinux policies in Centos amphorae	2022-09-07 06:43:50 UTC
RDO	44614	None	None	None	2022-09-07 06:43:50 UTC
Red Hat Issue Tracker	OSP-18503	None	None	None	2022-09-01 11:40:05 UTC
Red Hat Product Errata	RHBA-2022:8794	None	None	None	2022-12-07 19:25:31 UTC

Description Gregory Thiemonge 2022-09-01 11:35:52 UTC

+++ This bug was initially created as a clone of Bug #2096387 +++

Description of problem:
icmp health monitors are broken in rhosp16.1 to what appears to be a selinux restriction:

type=AVC msg=audit(1655139457.142:1084): avc:  denied  { execute } for  pid=7087 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139460.518:1090): avc:  denied  { execute } for  pid=7093 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139461.328:1091): avc:  denied  { execute } for  pid=7094 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139462.247:1113): avc:  denied  { execute } for  pid=7132 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139465.621:1118): avc:  denied  { execute } for  pid=7157 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139466.431:1119): avc:  denied  { execute } for  pid=7158 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139467.349:1120): avc:  denied  { execute } for  pid=7159 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139470.722:1121): avc:  denied  { execute } for  pid=7164 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139471.532:1122): avc:  denied  { execute } for  pid=7165 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139472.450:1125): avc:  denied  { execute } for  pid=7167 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1655139472.452:1126): avc:  denied  { execute } for  pid=7168 comm="ping-wrapper.sh" name="ping" dev="vda1" ino=4215754 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1655139472.452:1126): avc:  denied  { read open } for  pid=7168 comm="ping-wrapper.sh" path="/usr/bin/ping" dev="vda1" ino=4215754 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1655139472.452:1126): avc:  denied  { execute_no_trans } for  pid=7168 comm="ping-wrapper.sh" path="/usr/bin/ping" dev="vda1" ino=4215754 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1655139472.457:1127): avc:  denied  { setcap } for  pid=7168 comm="ping" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=process permissive=1
type=AVC msg=audit(1655139472.457:1128): avc:  denied  { create } for  pid=7168 comm="ping" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=icmp_socket permissive=1
type=AVC msg=audit(1655139472.457:1129): avc:  denied  { create } for  pid=7168 comm="ping" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1655139472.457:1130): avc:  denied  { setopt } for  pid=7168 comm="ping" lport=1 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1655139472.457:1131): avc:  denied  { getopt } for  pid=7168 comm="ping" lport=1 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1655139496.100:1133): avc:  denied  { execmem } for  pid=7217 comm="haproxy" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=process permissive=1




[root@amphora-511460b7-c49e-4e3c-aa25-b40b6a162d4a audit]# grep denied audit.log  | audit2allow -R

require {
        type haproxy_t;
        type shell_exec_t;
        type ping_exec_t;
        class process { execmem setcap };
        class icmp_socket create;
        class rawip_socket { create getopt setopt };
        class file { execute execute_no_trans open read };
}

#============= haproxy_t ==============
allow haproxy_t ping_exec_t:file { execute execute_no_trans open read };
allow haproxy_t self:icmp_socket create;

#!!!! This avc can be allowed using the boolean 'cluster_use_execmem'
allow haproxy_t self:process execmem;
allow haproxy_t self:process setcap;
allow haproxy_t self:rawip_socket { create getopt setopt }

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 14 errata-xmlrpc 2022-12-07 19:24:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 16.2.4), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8794

Note You need to log in before you can comment on or make changes to this bug.