tripleo

Custom selinux policy compilation may fail

Bug #1630740 reported by Brent Eagles
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Unassigned

Bug Description

There may be some issues with custom selinux policies that might cause issues at some point. Several custom selinux policies may fail to compile with errors like the following:

/usr/bin/checkmodule: loading policy configuration from tmp/tripleo-selinux-rabbitmq.tmp
/usr/bin/checkmodule: Module name tripleo_selinux_rabbitmq is different than the output base filename tripleo-selinux-rabbitmq

It seems to be because the policy module names don't match the filename. The culprits are:

tripleo-selinux-mariadb.te
tripleo-selinux-rabbitmq.te

The ipxe module for ironic that is built by the instack-undercloud is also affected:

ipxe.te (module name ironic-ipxe)

Revision history for this message
Brent Eagles (beagles) wrote :

To be clear, AFAICT this is not affecting the supported OS version at the moment (CentOS 7.2).

Changed in tripleo:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Andreas Karis (akaris) wrote :

This seems to affect RHEL 7.3

Revision history for this message
Andreas Karis (akaris) wrote :

Hi Brent,

Other than disabling selinux, what is the workaround for this issue?

Thanks,

Andreas

Revision history for this message
Nathan Morell (jidar) wrote :

Fixing the module names to look like the following fixes the selinux issue:

[stack@director-osp7 /]$ grep module ./usr/share/instack-undercloud/ipxe/selinux/ipxe.te
module ipxe 1.0;
[stack@director-osp7 /]$ grep module ./usr/share/tripleo-image-elements/selinux/custom-policies/tripleo-selinux-rabbitmq.te
module tripleo-selinux-rabbitmq 1.0;
[stack@director-osp7 /]$ grep module ./usr/share/tripleo-image-elements/selinux/custom-policies/tripleo-selinux-mariadb.te
module tripleo-selinux-mariadb 1.0;

Still seems like 7.3 doesn't work with os-net-config though (but this is all it takes to get past the selinux issues0

Revision history for this message
Brent Eagles (beagles) wrote :

This was a duplicate of https://bugs.launchpad.net/tripleo/+bug/1635030 which indicates that the issue was fixed in the openstack/instack-undercloud 4.2.1 release.

Changed in tripleo:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.