[Train][CentOS7] Packstack deployment fails while starting httpd with SELINUX enabled

Bug #1923005 reported by yatin on 2021-04-08
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Packstack
High
Unassigned

Bug Description

Packstack Deployment on CentOS7 with selinux enabled fails with:-
PuppetError: Error appeared during Puppet run: 192.168.100.178_controller.pp
Error: Systemd start for httpd failed!

httpd service logs stats:-
 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:8774
  httpd[1569]: no listening sockets available, shutting down

AVC denied audit log:-
type=AVC msg=audit(1617806051.956:10123): avc: denied { name_bind } for pid=1569 comm="httpd" src=8774 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:osapi_compute_port_t:s0 tclass=tcp_socket permissive=0

httpd is allowed to bind to any port in openstack-selinux https://github.com/redhat-openstack/openstack-selinux/blob/master/os-httpd.te#L48, but it still fails due to recent commit in openstack-selinux:- https://github.com/redhat-openstack/openstack-selinux/commit/1f3ab78f0d9b5e1d76ca420873889e9c6f54faf0

Applying recent os-podman.te in C7 fails with:-
# semodule -i /usr/share/selinux/packages/os-podman.pp.bz2
Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/os-podman/cil:3
semodule: Failed!

This is likely caused by old container-selinux package in CentOS7 and unavailable commit https://github.com/containers/container-selinux/commit/e544d77116b6182cbfa42fd2168e1f602e86b06d

# rpm -q container-selinux
container-selinux-2.119.2-1.911c772.el7_8.noarch

Example log:-
https://logserver.rdoproject.org/ci.centos.org/weirdo-train-promote-packstack-scenario001/274/weirdo-project/logs/latest/manifests/192.168.1.103_controller.pp.log.txt.gz
https://logserver.rdoproject.org/ci.centos.org/weirdo-train-promote-packstack-scenario001/274/weirdo-project/logs/diag/journalctl_--no-pager.txt.gz
https://logserver.rdoproject.org/ci.centos.org/weirdo-train-promote-packstack-scenario001/274/weirdo-project/logs/audit/audit.log.txt.gz
https://logserver.rdoproject.org/ci.centos.org/weirdo-train-promote-packstack-scenario001/274/rpm_packages.txt.gz

Will check with authors on how to clear this issue.

yatin (yatinkarel) on 2021-04-08
Changed in packstack:
status: New → Triaged
importance: Undecided → High
yatin (yatinkarel) on 2021-04-08
description: updated
yatin (yatinkarel) wrote :

Proposed https://review.rdoproject.org/r/c/rdo-infra/weirdo/+/33168 to switch selinux to permissive, it's already in permissive for centos7 job, all upstream jobs(except packstack on C7) were running with selinux permissive, with this patch that too does the same, maintaining selinux just for this case is not much worth.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers