tripleo

key-pair failure when selinux is in enforcing mode

Bug #1284485 reported by Richard Su on 2014-02-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Richard Su

Bug Description

After applying the patch in https://review.openstack.org/#/c/74607/, you'll still get an avc denial.

devtest fails with this error:
ERROR: Keypair data is invalid: failed to generate fingerprint (HTTP 400) (Request-ID: req-a20787f8-954d-42ae-b925-471beee1e4b0)

On the seed node, /var/log/audit/audit.log shows:
type=AVC msg=audit(1393286662.806:45550): avc: denied { open } for pid=4837 comm="ssh-keygen" path="/tmp/tmpQZ8G83/temp.pub" dev="vda1" ino=262175 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1393286662.806:45550): arch=40000003 syscall=5 success=no exit=-13 a0=b770e760 a1=8000 a2=0 a3=b770e760 items=0 ppid=4614 pid=4837 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 ses=4294967295 tty=(none) comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=system_u:system_r:ssh_keygen_t:s0 key=(null)

What is strange is running ssh-keygen manually on the seed node to generate a file on /tmp/ succeeds.

Tags:

Richard Su (rwsu) on 2014-02-25

Changed in tripleo:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-16: Fix proposed to tripleo-image-elements (master)

Fix proposed to branch: master
Review: https://review.openstack.org/107233

Changed in tripleo:
assignee:	nobody → Richard Su (rwsu)
status:	Triaged → In Progress

Revision history for this message

Richard Su (rwsu) wrote on 2014-07-31:

Filed https://bugzilla.redhat.com/show_bug.cgi?id=1125442

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-14: Fix merged to tripleo-image-elements (master)

Reviewed: https://review.openstack.org/107233
Committed: https://git.openstack.org/cgit/openstack/tripleo-image-elements/commit/?id=77d89ebad41d50458ec178cb94fa75d7e8cb3ae2
Submitter: Jenkins
Branch: master

commit 77d89ebad41d50458ec178cb94fa75d7e8cb3ae2
Author: Richard Su <email address hidden>
Date: Tue Jul 15 18:06:54 2014 -0700

Custom policy for ssh-keygen failure

    This patch contains a custom policy to allow ssh-keygen to write to
    /tmp. This action is blocked by SELinux. The custom policy is needed
    until the upstream SELinux policy is updated for Fedora or nova is
    modified to call ssh-keygen to write out to a different directory.

Partial-Bug: 1284485
Change-Id: I59de4e88d9343e093a95436432e2e4d68f425d06

Richard Su (rwsu) on 2014-08-24

tags:

added: selinux

Ben Nemec (bnemec) on 2016-04-19

Changed in tripleo:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

redhat-bugs #1125442
[CLOSED EOL] Edit

Bug watches keep track of this bug in other bug trackers.