Cannot introspect nodes due to SElinux denials in Red Hat OpenStack Platform 10
Issue
Cannot introspect nodes due to SElinux denials in Red Hat OpenStack Platform 10 and /var/log/audit/audit.log shows:
msg=audit(1539127145.762:375): avc: denied { getattr } for pid=1508 comm="httpd" path="/httpboot/inspector.ipxe" dev="vda1" ino=499128913 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1539127171.411:376): avc: denied { getattr } for pid=1502 comm="httpd" path="/httpboot/inspector.ipxe" dev="vda1" ino=499128913 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1539127171.411:377): avc: denied { getattr } for pid=1502 comm="httpd" path="/httpboot/inspector.ipxe" dev="vda1" ino=499128913 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1539127222.991:378): avc: denied { getattr } for pid=1505 comm="httpd" path="/httpboot/inspector.ipxe" dev="vda1" ino=499128913 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1539127222.991:379): avc: denied { getattr } for pid=1505 comm="httpd" path="/httpboot/inspector.ipxe" dev="vda1" ino=499128913 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
restorecon of /httpboot or an autorelabel (https://access.redhat.com/solutions/24845) will set wrong permissions on /httpboot:
[root@podir011 ~]# ls -alZ /httpboot/
drwxr-xr-x. ironic ironic system_u:object_r:default_t:s0 .
dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
-rwxr-xr-x. root root system_u:object_r:default_t:s0 agent.kernel
-rw-r--r--. root root system_u:object_r:default_t:s0 agent.ramdisk
-rw-r--r--. ironic-inspector ironic-inspector system_u:object_r:default_t:s0 inspector.ipxe
Permissions can be fixed by manually changing the context:
[root@podir011 ~]# chcon -t httpd_sys_content_t /httpboot/ -R
[root@podir011 ~]# ls -alZ /httpboot
drwxr-xr-x. ironic ironic system_u:object_r:httpd_sys_content_t:s0 .
dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
-rwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 agent.kernel
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 agent.ramdisk
-rw-r--r--. ironic-inspector ironic-inspector system_u:object_r:httpd_sys_content_t:s0 inspector.ipxe
However, running restorecon will reset the bad SElinux context (that will reset the dir and files therein to the stored SElinux context):
[root@podir011 ~]# restorecon /httpboot -RF
[root@podir011 ~]# ls -al /httpboot
total 377260
drwxr-xr-x. 2 ironic ironic 69 Oct 9 16:25 .
dr-xr-xr-x. 19 root root 256 Oct 9 19:01 ..
-rwxr-xr-x. 1 root root 5889712 Oct 9 16:25 agent.kernel
-rw-r--r--. 1 root root 380417527 Oct 9 16:25 agent.ramdisk
-rw-r--r--. 1 ironic-inspector ironic-inspector 459 Oct 9 16:21 inspector.ipxe
[root@podir011 ~]# ls -alZ /httpboot/
drwxr-xr-x. ironic ironic system_u:object_r:default_t:s0 .
dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
-rwxr-xr-x. root root system_u:object_r:default_t:s0 agent.kernel
-rw-r--r--. root root system_u:object_r:default_t:s0 agent.ramdisk
-rw-r--r--. ironic-inspector ironic-inspector system_u:object_r:default_t:s0 inspector.ipxe
And resetting it again:
[root@podir011 ~]# chcon -t httpd_sys_content_t /httpboot/ -R
[root@podir011 ~]# ls -alZ /httpboot/
drwxr-xr-x. ironic ironic system_u:object_r:httpd_sys_content_t:s0 .
dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
-rwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 agent.kernel
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 agent.ramdisk
-rw-r--r--. ironic-inspector ironic-inspector system_u:object_r:httpd_sys_content_t:s0 inspector.ipxe
[root@podir011 ~]#
Environment
Red Hat OpenStack Platform 10
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
