Certmongers call pkill and is prevented to do so by SELinux

Bug #1821149 reported by Cédric Jeanneret
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Juan Antonio Osorio Robles

Bug Description

Hello,

With the new way certmongers restarts services, we hit several AVC due to the pkill calls:

type=AVC msg=audit(1553153141.509:3368): avc: denied { getattr } for pid=19269 comm="pkill" path="/proc/2" dev="proc" ino=12381 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553153141.509:3369): avc: denied { search } for pid=19269 comm="pkill" name="2" dev="proc" ino=12381 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1553153141.509:3369): avc: denied { read } for pid=19269 comm="pkill" name="status" dev="proc" ino=12992 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553153141.509:3369): avc: denied { open } for pid=19269 comm="pkill" path="/proc/2/status" dev="proc" ino=12992 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file permissive=1

Would be best to move to $container_cli kill <container> instead.

Cheers,

C.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/645080

Changed in tripleo:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: Triaged → In Progress
Revision history for this message
Cédric Jeanneret (cjeanner) wrote :

An idea would be to move away from puppet[1] to ansible, directly inside the t-h-t.
It will request some time to dev that, but eventually it will make things cleaner and smarter.

[1] https://github.com/openstack/puppet-tripleo/blob/master/manifests/profile/base/certmonger_user.pp

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/645080
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=c5d8ed538a68f79e1adc11030e64da5ecdd64def
Submitter: Zuul
Branch: master

commit c5d8ed538a68f79e1adc11030e64da5ecdd64def
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Mar 21 10:45:37 2019 +0200

    haproxy/certmonger: use container_cli to trigger HUP signal

    We were using pkill, which would fail due to SELinux. Using the
    container cli would be a better option. It's also more portable.

    Change-Id: I6bf92bc1e74797d9132ae595af8929e67d439f43
    Closes-Bug: #1821149

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 10.4.0

This issue was fixed in the openstack/puppet-tripleo 10.4.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers