2162050 – SELinux prevents running update_yum.sh script during container modification

Bug 2162050 - SELinux prevents running update_yum.sh script during container modification

Summary: SELinux prevents running update_yum.sh script during container modification

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	ansible-role-tripleo-modify-image
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	beta
Target Release:	17.1
Assignee:	Cédric Jeanneret
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2167724 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-01-18 16:42 UTC by Cédric Jeanneret
Modified:	2023-08-16 01:13 UTC (History)
CC List:	2 users (show)
Fixed In Version:	ansible-role-tripleo-modify-image-1.5.0-1.20230119101027.aaa89b2.el9ost
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-16 01:13:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	870966	None	NEW	Ensure update_yum.sh has correct SELinux labels	2023-01-18 16:42:41 UTC
Red Hat Issue Tracker	OSP-21528	None	None	None	2023-01-18 16:45:47 UTC
Red Hat Product Errata	RHEA-2023:4577	None	None	None	2023-08-16 01:13:29 UTC

Description Cédric Jeanneret 2023-01-18 16:42:42 UTC

While testing osp-17.1 on rhel-9.2, I hit a SELinux denial:

/var/log/audit/audit.log.1:type=AVC msg=audit(1674049903.359:22746): avc:  denied  { open } for  pid=69064 comm="yum_update.sh" path="/tmp/yum_update.sh" dev="vda4" ino=176236830 scontext=system_u:system_r:container_t:s0:c568,c599 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0


After some checks, this call is from within the modification image role[1][2][3]. The script is passed as a volume to buildah, and it's missing the appropiate ":z" flag.

I'd suspect a change in the SELinux container policy in el-9.2.

I proposed a patch upstream already, but we'll need it asap downstream in order to get proper el-9.2 support for 17.1 CI (and customers, and everything).

I also got a proactive backport plus a testproject in order to ensure it's passing right - so far, so good, will do the appropriate follow-up in this BZ + patches on due time.

[1] https://opendev.org/openstack/ansible-role-tripleo-modify-image/src/branch/master/tasks/yum_update_buildah.yml#L38-L42

[2] https://opendev.org/openstack/ansible-role-tripleo-modify-image/src/branch/master/tasks/yum_update_buildah.yml#L109

[3] https://opendev.org/openstack/ansible-role-tripleo-modify-image/src/branch/master/tasks/yum_update_buildah.yml#L133

Comment 7 Cédric Jeanneret 2023-02-08 15:09:26 UTC

*** Bug 2167724 has been marked as a duplicate of this bug. ***

Comment 17 errata-xmlrpc 2023-08-16 01:13:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:4577

Note You need to log in before you can comment on or make changes to this bug.