[SELinux] novajoin_server container fails to start after Undercloud installation

Bug #1881713 reported by Grzegorz Grasza
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Incomplete
High
Grzegorz Grasza

Bug Description

[Originally reported on 2020-05-18 23:04 UTC by Alberto Rivera Laporte]
https://bugzilla.redhat.com/show_bug.cgi?id=1837141

Description of problem:

After the installation of an RHOSP 16.0.2 Undercloud to support a TLS-Everywhere Overcloud deployment, the novajoin_server container does not properly start after a successful Undercloud installation and it appears to be in a perpetual start/crash/stop loop.

After some investigation, the container is triggering an SELinux AVC denial condition during container startup [1],[2].

[1]
Container Startup Error Log
-----------------------------------

Running command: 'novajoin-server --config-file /etc/novajoin/join.conf'
++ . /usr/local/bin/kolla_novajoin_extend_start
+ echo 'Running command: '\''novajoin-server --config-file /etc/novajoin/join.conf'\'''
+ exec novajoin-server --config-file /etc/novajoin/join.conf
Traceback (most recent call last):
  File "/usr/bin/novajoin-server", line 10, in <module>
    sys.exit(main())
  File "/usr/lib/python3.6/site-packages/novajoin/wsgi.py", line 112, in main
    default_config_files=config.find_config_files())
  File "/usr/lib/python3.6/site-packages/oslo_config/cfg.py", line 2137, in __call__
    self._namespace._files_permission_denied)
oslo_config.cfg.ConfigFilesPermissionDeniedError: Failed to open some config files: /etc/novajoin/join.conf

[2]
SELinux AVC Denial
-----------------------------------

SELinux is preventing /usr/libexec/platform-python3.6 from read access on the file join.conf.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that platform-python3.6 should be allowed read access on the join.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'novajoin-server' --raw | audit2allow -M my-novajoinserver
# semodule -X 300 -i my-novajoinserver.pp

Additional Information:
Source Context system_u:system_r:container_t:s0:c321,c804
Target Context system_u:object_r:container_file_t:s0:c497,c980
Target Objects join.conf [ file ]
Source novajoin-server
Source Path /usr/libexec/platform-python3.6
Port <Unknown>
Host osp16-dir.voltron.xyz
Source RPM Packages platform-python-3.6.8-15.1.el8.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name osp16-dir.voltron.xyz
Platform Linux osp16-dir.voltron.xyz
                              4.18.0-147.8.1.el8_1.x86_64 #1 SMP Wed Feb 26
                              03:08:15 UTC 2020 x86_64 x86_64
Alert Count 81
First Seen 2020-05-18 18:01:06 EDT
Last Seen 2020-05-18 18:24:31 EDT
Local ID fa461946-fe82-43d1-8863-6d9675b217df

Raw Audit Messages
type=AVC msg=audit(1589840671.496:18605): avc: denied { read } for pid=157421 comm="novajoin-server" name="join.conf" dev="vda1" ino=54857619 scontext=system_u:system_r:container_t:s0:c321,c804 tcontext=system_u:object_r:container_file_t:s0:c497,c980 tclass=file permissive=0

type=SYSCALL msg=audit(1589840671.496:18605): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7f35512bc6a8 a2=80000 a3=0 items=0 ppid=157401 pid=157421 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=novajoin-server exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:container_t:s0:c321,c804 key=(null)

Hash: novajoin-server,container_t,container_file_t,file,read

tags: added: train-backport-potential ussuri-backport-potential
Changed in tripleo:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Grzegorz Grasza (xek)
milestone: none → victoria-1
Revision history for this message
Grzegorz Grasza (xek) wrote :
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/ussuri)

Reviewed: https://review.opendev.org/732483
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=392de5157d979383e2f313f126b285312b3cdf63
Submitter: Zuul
Branch: stable/ussuri

commit 392de5157d979383e2f313f126b285312b3cdf63
Author: Grzegorz Grasza <email address hidden>
Date: Tue May 19 15:10:48 2020 +0200

    Change the :Z mount flag to :z

    Leaving this with the capital Z limits access to this file
    to the other novajoin container. This can cause the other
    container to malfunction. At the very best, the other
    container will restart, relabeling the file with it's
    settings, which has the proper value of lower z.

    Closes-Bug: #1881713
    Resolves: rhbz#1837141
    Change-Id: Iebcfb9509c58619f9d68d3036775f07683a0fa42
    (cherry picked from commit a6fa6027275bd650390cd538abffd7f06da24756)

tags: added: in-stable-ussuri
Changed in tripleo:
milestone: victoria-1 → victoria-3
Changed in tripleo:
milestone: victoria-3 → wallaby-1
Changed in tripleo:
milestone: wallaby-1 → wallaby-2
Changed in tripleo:
milestone: wallaby-2 → wallaby-3
Changed in tripleo:
milestone: wallaby-3 → wallaby-rc1
Changed in tripleo:
milestone: wallaby-rc1 → xena-1
Changed in tripleo:
milestone: xena-1 → xena-2
Revision history for this message
Marios Andreou (marios-b) wrote :

This is an automated action. Bug status has been set to 'Incomplete' and target milestone has been removed due to inactivity. If you disagree please re-set these values and reach out to us on freenode #tripleo

Changed in tripleo:
milestone: xena-2 → none
status: In Progress → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.