Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2123318

Summary: icmp health monitors are broken in rhosp16.1
Product: Red Hat OpenStack Reporter: Gregory Thiemonge <gthiemon>
Component: openstack-octaviaAssignee: Gregory Thiemonge <gthiemon>
Status: CLOSED ERRATA QA Contact: Bruna Bonguardo <bbonguar>
Severity: low Docs Contact:
Priority: low    
Version: 16.2 (Train)CC: bbonguar, cjeanner, dhill, enothen, gregraka, gthiemon, jpichon, lpeer, majopela, michjohn, scohen
Target Milestone: z4Keywords: Triaged
Target Release: 16.2 (Train on RHEL 8.4)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.35-2.20220817085629.c5a2896.el8ost openstack-octavia-5.1.3-2.20220906164817.2e0a650.el8ost Doc Type: Bug Fix
Doc Text:
Before this update, an SELinux issue triggered errors with Red Hat OpenStack Platform (RHOSP) Load-balancing service (octavia) ICMP health monitors that used the amphora provider driver. In RHOSP 16.2.4, this issue has been fixed and ICMP health monitors function properly.
 Story Points: ---
Clone Of: 2096387
: 2125610 (view as bug list) Environment:
Last Closed: 2022-12-07 19:24:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2096387    
Bug Blocks: 2125610    

Description Gregory Thiemonge 2022-09-01 11:35:52 UTC 
+++ This bug was initially created as a clone of Bug #2096387 +++

Description of problem:
icmp health monitors are broken in rhosp16.1 to what appears to be a selinux restriction:

type=AVC msg=audit(1655139457.142:1084): avc:  denied  { execute } for  pid=7087 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139460.518:1090): avc:  denied  { execute } for  pid=7093 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139461.328:1091): avc:  denied  { execute } for  pid=7094 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139462.247:1113): avc:  denied  { execute } for  pid=7132 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139465.621:1118): avc:  denied  { execute } for  pid=7157 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139466.431:1119): avc:  denied  { execute } for  pid=7158 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139467.349:1120): avc:  denied  { execute } for  pid=7159 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139470.722:1121): avc:  denied  { execute } for  pid=7164 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139471.532:1122): avc:  denied  { execute } for  pid=7165 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139472.450:1125): avc:  denied  { execute } for  pid=7167 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1655139472.452:1126): avc:  denied  { execute } for  pid=7168 comm="ping-wrapper.sh" name="ping" dev="vda1" ino=4215754 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1655139472.452:1126): avc:  denied  { read open } for  pid=7168 comm="ping-wrapper.sh" path="/usr/bin/ping" dev="vda1" ino=4215754 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1655139472.452:1126): avc:  denied  { execute_no_trans } for  pid=7168 comm="ping-wrapper.sh" path="/usr/bin/ping" dev="vda1" ino=4215754 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1655139472.457:1127): avc:  denied  { setcap } for  pid=7168 comm="ping" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=process permissive=1
type=AVC msg=audit(1655139472.457:1128): avc:  denied  { create } for  pid=7168 comm="ping" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=icmp_socket permissive=1
type=AVC msg=audit(1655139472.457:1129): avc:  denied  { create } for  pid=7168 comm="ping" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1655139472.457:1130): avc:  denied  { setopt } for  pid=7168 comm="ping" lport=1 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1655139472.457:1131): avc:  denied  { getopt } for  pid=7168 comm="ping" lport=1 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1655139496.100:1133): avc:  denied  { execmem } for  pid=7217 comm="haproxy" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=process permissive=1




[root@amphora-511460b7-c49e-4e3c-aa25-b40b6a162d4a audit]# grep denied audit.log  | audit2allow -R

require {
        type haproxy_t;
        type shell_exec_t;
        type ping_exec_t;
        class process { execmem setcap };
        class icmp_socket create;
        class rawip_socket { create getopt setopt };
        class file { execute execute_no_trans open read };
}

#============= haproxy_t ==============
allow haproxy_t ping_exec_t:file { execute execute_no_trans open read };
allow haproxy_t self:icmp_socket create;

#!!!! This avc can be allowed using the boolean 'cluster_use_execmem'
allow haproxy_t self:process execmem;
allow haproxy_t self:process setcap;
allow haproxy_t self:rawip_socket { create getopt setopt }

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 14 errata-xmlrpc 2022-12-07 19:24:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 16.2.4), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8794