[SELinux] novajoin_server container fails to start after Undercloud installation

[Originally reported on 2020-05-18 23:04 UTC by Alberto Rivera Laporte]
https://bugzilla.redhat.com/show_bug.cgi?id=1837141

Description of problem:

After the installation of an RHOSP 16.0.2 Undercloud to support a TLS-Everywhere Overcloud deployment, the novajoin_server container does not properly start after a successful Undercloud installation and it appears to be in a perpetual start/crash/stop loop.

After some investigation, the container is triggering an SELinux AVC denial condition during container startup [1],[2].

[1]
Container Startup Error Log
-----------------------------------

Running command: 'novajoin-server --config-file /etc/novajoin/join.conf'
++ . /usr/local/bin/kolla_novajoin_extend_start
+ echo 'Running command: '\''novajoin-server --config-file /etc/novajoin/join.conf'\'''
+ exec novajoin-server --config-file /etc/novajoin/join.conf
Traceback (most recent call last):
  File "/usr/bin/novajoin-server", line 10, in <module>
    sys.exit(main())
  File "/usr/lib/python3.6/site-packages/novajoin/wsgi.py", line 112, in main
    default_config_files=config.find_config_files())
  File "/usr/lib/python3.6/site-packages/oslo_config/cfg.py", line 2137, in __call__
    self._namespace._files_permission_denied)
oslo_config.cfg.ConfigFilesPermissionDeniedError: Failed to open some config files: /etc/novajoin/join.conf

[2]
SELinux AVC Denial
-----------------------------------

SELinux is preventing /usr/libexec/platform-python3.6 from read access on the file join.conf.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that platform-python3.6 should be allowed read access on the join.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'novajoin-server' --raw | audit2allow -M my-novajoinserver
# semodule -X 300 -i my-novajoinserver.pp

Additional Information:
Source Context system_u:system_r:container_t:s0:c321,c804
Target Context system_u:object_r:container_file_t:s0:c497,c980
Target Objects join.conf [ file ]
Source novajoin-server
Source Path /usr/libexec/platform-python3.6
Port <Unknown>
Host osp16-dir.voltron.xyz
Source RPM Packages platform-python-3.6.8-15.1.el8.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name osp16-dir.voltron.xyz
Platform Linux osp16-dir.voltron.xyz
                              4.18.0-147.8.1.el8_1.x86_64 #1 SMP Wed Feb 26
                              03:08:15 UTC 2020 x86_64 x86_64
Alert Count 81
First Seen 2020-05-18 18:01:06 EDT
Last Seen 2020-05-18 18:24:31 EDT
Local ID fa461946-fe82-43d1-8863-6d9675b217df

Raw Audit Messages
type=AVC msg=audit(1589840671.496:18605): avc: denied { read } for pid=157421 comm="novajoin-server" name="join.conf" dev="vda1" ino=54857619 scontext=system_u:system_r:container_t:s0:c321,c804 tcontext=system_u:object_r:container_file_t:s0:c497,c980 tclass=file permissive=0

type=SYSCALL msg=audit(1589840671.496:18605): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7f35512bc6a8 a2=80000 a3=0 items=0 ppid=157401 pid=157421 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=novajoin-server exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:container_t:s0:c321,c804 key=(null)

Hash: novajoin-server,container_t,container_file_t,file,read