2125610 – icmp health monitors are broken

Bug 2125610 - icmp health monitors are broken

Summary: icmp health monitors are broken

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-octavia
Sub Component:
Version:	17.0 (Wallaby)
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	beta
Target Release:	17.1
Assignee:	Gregory Thiemonge
QA Contact:	Bruna Bonguardo
Docs Contact:
URL:
Whiteboard:
Depends On:	2096387 2123318
Blocks:
TreeView+	depends on / blocked

Reported:	2022-09-09 12:59 UTC by Gregory Thiemonge
Modified:	2023-08-16 01:12 UTC (History)
CC List:	12 users (show)
Fixed In Version:	openstack-octavia-8.0.2-1.20230209170843.f6d2e59.el9ost
Doc Type:	Bug Fix
Doc Text:	Before this update, an SELinux issue triggered errors with Red Hat OpenStack Platform (RHOSP) Load-balancing service (octavia) ICMP health monitors that used the Amphora provider driver. In RHOSP 17.1, this issue has been fixed and ICMP health monitors function correctly.
Clone Of:	2123318
Environment:
Last Closed:	2023-08-16 01:12:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	836149	None	MERGED	Fix PING health-monitor with recent haproxy releases	2022-09-09 13:26:45 UTC
OpenStack gerrit	836170	None	MERGED	Fix PING health-monitor with recent Centos releases	2023-01-25 07:31:16 UTC
OpenStack gerrit	853996	None	MERGED	Apply openstack-selinux policies in Centos amphorae	2022-09-09 13:26:45 UTC
OpenStack gerrit	871684	None	NEW	Fix PING health-monitor with recent haproxy releases	2023-02-07 12:49:26 UTC
OpenStack gerrit	871688	None	NEW	Fix PING health-monitor with recent Centos releases	2023-02-07 12:49:27 UTC
Red Hat Issue Tracker	OSP-18640	None	None	None	2022-09-09 13:12:49 UTC
Red Hat Product Errata	RHEA-2023:4577	None	None	None	2023-08-16 01:12:35 UTC

Description Gregory Thiemonge 2022-09-09 12:59:22 UTC

+++ This bug was initially created as a clone of Bug #2123318 +++

+++ This bug was initially created as a clone of Bug #2096387 +++

Description of problem:
icmp health monitors are broken in rhosp16.1 to what appears to be a selinux restriction:

type=AVC msg=audit(1655139457.142:1084): avc:  denied  { execute } for  pid=7087 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139460.518:1090): avc:  denied  { execute } for  pid=7093 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139461.328:1091): avc:  denied  { execute } for  pid=7094 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139462.247:1113): avc:  denied  { execute } for  pid=7132 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139465.621:1118): avc:  denied  { execute } for  pid=7157 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139466.431:1119): avc:  denied  { execute } for  pid=7158 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139467.349:1120): avc:  denied  { execute } for  pid=7159 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139470.722:1121): avc:  denied  { execute } for  pid=7164 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139471.532:1122): avc:  denied  { execute } for  pid=7165 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1655139472.450:1125): avc:  denied  { execute } for  pid=7167 comm="haproxy" name="bash" dev="vda1" ino=4215375 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1655139472.452:1126): avc:  denied  { execute } for  pid=7168 comm="ping-wrapper.sh" name="ping" dev="vda1" ino=4215754 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1655139472.452:1126): avc:  denied  { read open } for  pid=7168 comm="ping-wrapper.sh" path="/usr/bin/ping" dev="vda1" ino=4215754 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1655139472.452:1126): avc:  denied  { execute_no_trans } for  pid=7168 comm="ping-wrapper.sh" path="/usr/bin/ping" dev="vda1" ino=4215754 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1655139472.457:1127): avc:  denied  { setcap } for  pid=7168 comm="ping" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=process permissive=1
type=AVC msg=audit(1655139472.457:1128): avc:  denied  { create } for  pid=7168 comm="ping" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=icmp_socket permissive=1
type=AVC msg=audit(1655139472.457:1129): avc:  denied  { create } for  pid=7168 comm="ping" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1655139472.457:1130): avc:  denied  { setopt } for  pid=7168 comm="ping" lport=1 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1655139472.457:1131): avc:  denied  { getopt } for  pid=7168 comm="ping" lport=1 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1655139496.100:1133): avc:  denied  { execmem } for  pid=7217 comm="haproxy" scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=process permissive=1




[root@amphora-511460b7-c49e-4e3c-aa25-b40b6a162d4a audit]# grep denied audit.log  | audit2allow -R

require {
        type haproxy_t;
        type shell_exec_t;
        type ping_exec_t;
        class process { execmem setcap };
        class icmp_socket create;
        class rawip_socket { create getopt setopt };
        class file { execute execute_no_trans open read };
}

#============= haproxy_t ==============
allow haproxy_t ping_exec_t:file { execute execute_no_trans open read };
allow haproxy_t self:icmp_socket create;

#!!!! This avc can be allowed using the boolean 'cluster_use_execmem'
allow haproxy_t self:process execmem;
allow haproxy_t self:process setcap;
allow haproxy_t self:rawip_socket { create getopt setopt }

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 18 errata-xmlrpc 2023-08-16 01:12:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:4577

Note You need to log in before you can comment on or make changes to this bug.