selinux ssh denieals on CentOS/RHEL 8
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Incomplete
|
High
|
Unassigned |
Bug Description
Observed the following on the undercloud while doing an overcloud deployment:
type=AVC msg=audit(
type=AVC msg=audit(
type=AVC msg=audit(
type=AVC msg=audit(
type=AVC msg=audit(
type=AVC msg=audit(
The deploy CLI fails with:
2019-03-26 18:02:25Z [overcloud.
Your identification has been saved in /tmp/tmptj7cv8y
Your public key has been saved in /tmp/tmptj7cv8y
The key fingerprint is:
SHA256:
The key's randomart image is:
+---[RSA 4096]----+
|+. ..o o . |
|*...+ = = . |
|.o.o.* = . |
| .+ =... |
| . + * S |
|. +o + * |
|.=.o+ = o |
|+ o.o+ o E |
|.oo+=o . |
+----[SHA256]-----+
Warning: Permanently added '192.168.24.24' (ECDSA) to the list of known hosts.^M
Warning: Permanently added '192.168.24.21' (ECDSA) to the list of known hosts.^M
Warning: Permanently added '192.168.24.10' (ECDSA) to the list of known hosts.^M
Warning: Permanently added '192.168.24.22' (ECDSA) to the list of known hosts.^M
Warning: Permanently added '192.168.24.24' (ECDSA) to the list of known hosts.^M
Warning: Permanently added '192.168.24.21' (ECDSA) to the list of known hosts.^M
Warning: Permanently added '192.168.24.10' (ECDSA) to the list of known hosts.^M
Warning: Permanently added '192.168.24.22' (ECDSA) to the list of known hosts.^M
Waiting for messages on queue 'tripleo' with no timeout.
Exception occured while running the command
Traceback (most recent call last):
File "/usr/lib/
super(Command, self).run(
File "/usr/lib/
return super(Command, self).run(
File "/usr/lib/
return_code = self.take_
File "/usr/lib/
verbosity=
File "/usr/lib/
raise exceptions.
tripleoclient.
Overcloud configuration failed.
2019-03-26 18:02:25Z [overcloud.
2019-03-26 18:02:26Z [overcloud.
2019-03-26 18:02:26Z [overcloud.
2019-03-26 18:02:26Z [overcloud.
2019-03-26 18:02:27Z [overcloud.
2019-03-26 18:02:27Z [overcloud.
2019-03-26 18:02:27Z [overcloud.
2019-03-26 18:02:27Z [overcloud.
2019-03-26 18:02:27Z [overcloud.
2019-03-26 18:02:28Z [overcloud.
2019-03-26 18:02:28Z [overcloud.
2019-03-26 18:02:28Z [overcloud.
2019-03-26 18:02:28Z [overcloud.
2019-03-26 18:02:29Z [overcloud.
2019-03-26 18:02:29Z [overcloud]: CREATE_COMPLETE Stack CREATE completed successfully
Stack overcloud/
Deploying overcloud configuration
Enabling ssh admin (tripleo-admin) for hosts:
192.168.24.24 192.168.24.21 192.168.24.10 192.168.24.22
Using ssh user heat-admin for initial connection.
Using ssh key at /home/stack/
Inserting TripleO short term key for 192.168.24.24
Inserting TripleO short term key for 192.168.24.21
Inserting TripleO short term key for 192.168.24.10
Inserting TripleO short term key for 192.168.24.22
Starting ssh admin enablement workflow
ssh admin enablement workflow - RUNNING.
ssh admin enablement workflow - RUNNING.
ssh admin enablement workflow - RUNNING.
ssh admin enablement workflow - COMPLETE.
Removing TripleO short term key from 192.168.24.24
Removing TripleO short term key from 192.168.24.21
Removing TripleO short term key from 192.168.24.10
Removing TripleO short term key from 192.168.24.22
Removing short term keys locally
Enabling ssh admin - COMPLETE.
Config downloaded at /var/lib/
Inventory generated at /var/lib/
Running ansible playbook at /var/lib/
Using /var/lib/
/var/lib/
/var/lib/
PLAY [Gather facts from undercloud] *******
TASK [Gathering Facts] *******
Tuesday 26 March 2019 18:03:34 +0000 (0:00:00.032) 0:00:00.032 *********
fatal: [undercloud]: UNREACHABLE! => {"changed": false, "msg": "SSH Error: data could not be sent to remote host \"localhost\". Make sure this host can be reached over ssh", "unreachable": true}
PLAY RECAP *******
undercloud : ok=0 changed=0 unreachable=1 failed=0
Tuesday 26 March 2019 18:05:31 +0000 (0:01:57.193) 0:01:57.226 *********
=======
Ansible failed, check log at /var/lib/
Changed in tripleo: | |
milestone: | stein-rc1 → train-1 |
Changed in tripleo: | |
milestone: | train-1 → train-2 |
Changed in tripleo: | |
milestone: | train-2 → train-3 |
Changed in tripleo: | |
milestone: | train-3 → ussuri-1 |
Changed in tripleo: | |
milestone: | ussuri-1 → ussuri-2 |
Changed in tripleo: | |
milestone: | ussuri-2 → ussuri-3 |
Changed in tripleo: | |
milestone: | ussuri-3 → ussuri-rc3 |
Changed in tripleo: | |
status: | Triaged → Incomplete |
Changed in tripleo: | |
milestone: | ussuri-rc3 → victoria-1 |
Changed in tripleo: | |
milestone: | victoria-1 → victoria-3 |
Seems the issue is that ~tripleo- admin/. ssh/authorized_ keys gets created with the container_t context and then ssh to localhost then fails: admin/. ssh/ admin/. ssh/: u:object_ r:ssh_home_ t:s0 61 Mar 26 18:02 . u:object_ r:user_ home_dir_ t:s0 74 Mar 26 17:12 .. u:object_ r:container_ file_t: s0:c85, c195 830 Mar 26 18:02 authorized_keys u:object_ r:ssh_home_ t:s0 1864 Mar 26 17:12 id_rsa u:object_ r:ssh_home_ t:s0 428 Mar 26 17:12 id_rsa.pub
[root@undercloud-0 ~]# ls -laZR /home/tripleo-
/home/tripleo-
total 12
drwx------. 2 tripleo-admin tripleo-admin unconfined_
drwx------. 3 tripleo-admin tripleo-admin unconfined_
-rw-------. 1 tripleo-admin tripleo-admin system_
-rw-------. 1 tripleo-admin tripleo-admin unconfined_
-rw-r--r--. 1 tripleo-admin tripleo-admin unconfined_
After I run a forced relabel: admin/. ssh/ admin/. ssh/authorized_ keys not reset as customized by admin to system_ u:object_ r:container_ file_t: s0:c85, c195 admin/. ssh/ admin/. ssh/authorized_ keys from system_ u:object_ r:container_ file_t: s0:c85, c195 to unconfined_ u:object_ r:ssh_home_ t:s0
[root@undercloud-0 ~]# restorecon -Rv /home/tripleo-
/home/tripleo-
[root@undercloud-0 ~]# restorecon -RvF /home/tripleo-
Relabeled /home/tripleo-
The deploy continued