Description of problem:

oo-cgroup-read is used to allow gear owners to check their cgroup settings and statistics.  oo-cgroup-read is a shell script that attempts to run cgget.  Current SELinux policy prevents oo-cgroup-read from executing additional programs.

Version-Release number of selected component (if applicable):


How reproducible:

On Fedora 18 with Openshift Origin installed from source after Feb 19:
commit: 2f82b1a6c25db57a5c7728c18bc22e2f7b6c7350

Run smoke tests


Steps to Reproduce:
1. Try building a jbossas application
2. run 'oo-cgroup-read"

Actual results:

Tested on devenv_2829

Now, the LoadError is gone, the code uses oo-ruby instead of ruby to resolve the problem.
But SELinux issues arose. The gear owner can not perform oo-cgroup-read

[jbossas1-2829t.dev.rhcloud.com ~]\> oo-cgroup-read memory.memsw.limit_in_bytes
/usr/bin/env: oo-ruby: Permission denied

[root@ip-10-151-84-246 ~]# ll -Z /usr/bin/oo-cgroup-read
-rwxr-xr-x. root root system_u:object_r:openshift_cgroup_read_exec_t:s0 /usr/bin/oo-cgroup-read


Expected results:

oo-cgroup-read prints the current value of memory.memsw.limit_in_bytes



Additional info:

The recent change added a call out to cgget, where before it used a file read.
This requires that the script be able to execute an external program (cgget).

I think we need the rule described below added to the openshift-origin policy.

jhonce got us this diagnostic:

type=AVC msg=audit(1361291623.691:128914): avc:  denied  { execute } for  pid=4623 comm="oo-cgroup-read" name="bash" dev=xvde1 ino=29 scontext=unconfined_u:system_r:openshift_cgroup_read_t:s0:c0,c501 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.


#============= openshift_cgroup_read_t ==============
allow openshift_cgroup_read_t shell_exec_t:file execute;