tripleo

Wrong SELinux label on container-puppet.sh

Bug #1854377 reported by Mihai Plasoianu on 2019-11-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Medium	Cédric Jeanneret	tripleo ussuri-3 "tripleo ussuri-3"

Bug Description

Description
===========
During deployment, the /var/lib/container-puppet dir is being created with a setype and recurse=true. Afterwards, the file container-puppet.sh is being copied into the dir without setting a setype. The file then has the type var_lib_t, which prevents any container from starting during deploy step 1. On a subsequent run, the recurse=true of the dir creation step sets the right setype on the file, so the step passes.

Steps to reproduce
==================
* Deploy overcloud in clean env

Expected result
===============
Deploy step 1 should succeed.

Actual result
=============
Deploy step 1 fails.

Environment
===========
OpenStack Train on newest CentOS 7.7

Logs & Configs
==============
from audit.log:

00:33 type=AVC msg=audit(1574894721.231:8236): avc: denied { read } for pid=30635 comm="container-puppe" name="container-puppet.sh" dev="dm-2" ino=33589538 scontext=system_u:system_r:container_t:s0:c134,c255 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0

Tags:

OpenStack Infra (hudson-openstack) on 2019-11-28

Changed in tripleo:
assignee:	nobody → Cédric Jeanneret (cjeanner)
status:	New → In Progress

Revision history for this message

Cédric Jeanneret (cjeanner) wrote on 2019-11-28:

So apparently there is some race condition somewhere preventing the container-puppet.sh to be properly accessed.

Changed in tripleo:
importance:	Undecided → Medium
milestone:	none → ussuri-3
status:	In Progress → Triaged
tags:	added: train-backport-potential
Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-06: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/696602
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=3b146b1e45fbf3a7829128eeb6dd510f9f21b278
Submitter: Zuul
Branch: master

commit 3b146b1e45fbf3a7829128eeb6dd510f9f21b278
Author: Cédric Jeanneret <email address hidden>
Date: Thu Nov 28 16:25:33 2019 +0100

Ensure we set proper SELinux label on container-puppet.sh

Just to ensure we have the right label, even if something does mount the
directory with re-labelling. This would avoid any race-condition chance.

Also update old svirt_sandbox_file_t alias since the common thing is
"container_file_t".

Change-Id: Ic036ad901885f9d8c8072b560f2d9f3c8e919d58
Closes-Bug: #1854377

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-06: Fix proposed to tripleo-heat-templates (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/697628

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-06: Fix merged to tripleo-heat-templates (stable/train)

Reviewed: https://review.opendev.org/697628
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=5a615eca8e93d019be271efca21a01a72327823b
Submitter: Zuul
Branch: stable/train

commit 5a615eca8e93d019be271efca21a01a72327823b
Author: Cédric Jeanneret <email address hidden>
Date: Thu Nov 28 16:25:33 2019 +0100

Ensure we set proper SELinux label on container-puppet.sh

Just to ensure we have the right label, even if something does mount the
directory with re-labelling. This would avoid any race-condition chance.

Also update old svirt_sandbox_file_t alias since the common thing is
"container_file_t".

    Change-Id: Ic036ad901885f9d8c8072b560f2d9f3c8e919d58
    Closes-Bug: #1854377
    (cherry picked from commit 3b146b1e45fbf3a7829128eeb6dd510f9f21b278)