tripleo

Certmongers call pkill and is prevented to do so by SELinux

Bug #1821149 reported by Cédric Jeanneret on 2019-03-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Juan Antonio Osorio Robles	tripleo stein-rc1

Bug Description

Hello,

With the new way certmongers restarts services, we hit several AVC due to the pkill calls:

type=AVC msg=audit(1553153141.509:3368): avc: denied { getattr } for pid=19269 comm="pkill" path="/proc/2" dev="proc" ino=12381 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553153141.509:3369): avc: denied { search } for pid=19269 comm="pkill" name="2" dev="proc" ino=12381 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1553153141.509:3369): avc: denied { read } for pid=19269 comm="pkill" name="status" dev="proc" ino=12992 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553153141.509:3369): avc: denied { open } for pid=19269 comm="pkill" path="/proc/2/status" dev="proc" ino=12992 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file permissive=1

Would be best to move to $container_cli kill <container> instead.

Cheers,

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-21: Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/645080

Changed in tripleo:
assignee:	nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status:	Triaged → In Progress

Revision history for this message

Cédric Jeanneret (cjeanner) wrote on 2019-03-21:

An idea would be to move away from puppet[1] to ansible, directly inside the t-h-t.
It will request some time to dev that, but eventually it will make things cleaner and smarter.

[1] https://github.com/openstack/puppet-tripleo/blob/master/manifests/profile/base/certmonger_user.pp

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-27: Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/645080
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=c5d8ed538a68f79e1adc11030e64da5ecdd64def
Submitter: Zuul
Branch: master

commit c5d8ed538a68f79e1adc11030e64da5ecdd64def
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Mar 21 10:45:37 2019 +0200

haproxy/certmonger: use container_cli to trigger HUP signal

We were using pkill, which would fail due to SELinux. Using the
container cli would be a better option. It's also more portable.

Change-Id: I6bf92bc1e74797d9132ae595af8929e67d439f43
Closes-Bug: #1821149

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-04-18: Fix included in openstack/puppet-tripleo 10.4.0

This issue was fixed in the openstack/puppet-tripleo 10.4.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.