[SELinux] novajoin_server container fails to start after Undercloud installation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Incomplete
|
High
|
Grzegorz Grasza |
Bug Description
[Originally reported on 2020-05-18 23:04 UTC by Alberto Rivera Laporte]
https:/
Description of problem:
After the installation of an RHOSP 16.0.2 Undercloud to support a TLS-Everywhere Overcloud deployment, the novajoin_server container does not properly start after a successful Undercloud installation and it appears to be in a perpetual start/crash/stop loop.
After some investigation, the container is triggering an SELinux AVC denial condition during container startup [1],[2].
[1]
Container Startup Error Log
-------
Running command: 'novajoin-server --config-file /etc/novajoin/
++ . /usr/local/
+ echo 'Running command: '\''novajoin-server --config-file /etc/novajoin/
+ exec novajoin-server --config-file /etc/novajoin/
Traceback (most recent call last):
File "/usr/bin/
sys.
File "/usr/lib/
default_
File "/usr/lib/
self.
oslo_config.
[2]
SELinux AVC Denial
-------
SELinux is preventing /usr/libexec/
***** Plugin catchall (100. confidence) suggests *******
If you believe that platform-python3.6 should be allowed read access on the join.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'novajoin-server' --raw | audit2allow -M my-novajoinserver
# semodule -X 300 -i my-novajoinserv
Additional Information:
Source Context system_
Target Context system_
Target Objects join.conf [ file ]
Source novajoin-server
Source Path /usr/libexec/
Port <Unknown>
Host osp16-dir.
Source RPM Packages platform-
Target RPM Packages
Policy RPM selinux-
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name osp16-dir.
Platform Linux osp16-dir.
Alert Count 81
First Seen 2020-05-18 18:01:06 EDT
Last Seen 2020-05-18 18:24:31 EDT
Local ID fa461946-
Raw Audit Messages
type=AVC msg=audit(
type=SYSCALL msg=audit(
Hash: novajoin-
tags: | added: train-backport-potential ussuri-backport-potential |
Changed in tripleo: | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Grzegorz Grasza (xek) |
milestone: | none → victoria-1 |
Changed in tripleo: | |
milestone: | victoria-1 → victoria-3 |
Changed in tripleo: | |
milestone: | victoria-3 → wallaby-1 |
Changed in tripleo: | |
milestone: | wallaby-1 → wallaby-2 |
Changed in tripleo: | |
milestone: | wallaby-2 → wallaby-3 |
Changed in tripleo: | |
milestone: | wallaby-3 → wallaby-rc1 |
Changed in tripleo: | |
milestone: | wallaby-rc1 → xena-1 |
Changed in tripleo: | |
milestone: | xena-1 → xena-2 |
master patch: https:/ /review. opendev. org/#/c/ 729253/