Cannot introspect nodes due to SElinux denials in Red Hat OpenStack Platform 10
Issue
Cannot introspect nodes due to SElinux denials in Red Hat OpenStack Platform 10 and /var/log/audit/audit.log shows:
msg=audit(1539127145.762:375): avc: denied { getattr } for pid=1508 comm="httpd" path="/httpboot/inspector.ipxe" dev="vda1" ino=499128913 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1539127171.411:376): avc: denied { getattr } for pid=1502 comm="httpd" path="/httpboot/inspector.ipxe" dev="vda1" ino=499128913 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1539127171.411:377): avc: denied { getattr } for pid=1502 comm="httpd" path="/httpboot/inspector.ipxe" dev="vda1" ino=499128913 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1539127222.991:378): avc: denied { getattr } for pid=1505 comm="httpd" path="/httpboot/inspector.ipxe" dev="vda1" ino=499128913 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1539127222.991:379): avc: denied { getattr } for pid=1505 comm="httpd" path="/httpboot/inspector.ipxe" dev="vda1" ino=499128913 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
restorecon of /httpboot or an autorelabel (https://access.redhat.com/solutions/24845) will set wrong permissions on /httpboot:
[root@podir011 ~]# ls -alZ /httpboot/
drwxr-xr-x. ironic ironic system_u:object_r:default_t:s0 .
dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
-rwxr-xr-x. root root system_u:object_r:default_t:s0 agent.kernel
-rw-r--r--. root root system_u:object_r:default_t:s0 agent.ramdisk
-rw-r--r--. ironic-inspector ironic-inspector system_u:object_r:default_t:s0 inspector.ipxe
Permissions can be fixed by manually changing the context:
[root@podir011 ~]# chcon -t httpd_sys_content_t /httpboot/ -R
[root@podir011 ~]# ls -alZ /httpboot
drwxr-xr-x. ironic ironic system_u:object_r:httpd_sys_content_t:s0 .
dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
-rwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 agent.kernel
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 agent.ramdisk
-rw-r--r--. ironic-inspector ironic-inspector system_u:object_r:httpd_sys_content_t:s0 inspector.ipxe
However, running restorecon will reset the bad SElinux context (that will reset the dir and files therein to the stored SElinux context):
[root@podir011 ~]# restorecon /httpboot -RF
[root@podir011 ~]# ls -al /httpboot
total 377260
drwxr-xr-x. 2 ironic ironic 69 Oct 9 16:25 .
dr-xr-xr-x. 19 root root 256 Oct 9 19:01 ..
-rwxr-xr-x. 1 root root 5889712 Oct 9 16:25 agent.kernel
-rw-r--r--. 1 root root 380417527 Oct 9 16:25 agent.ramdisk
-rw-r--r--. 1 ironic-inspector ironic-inspector 459 Oct 9 16:21 inspector.ipxe
[root@podir011 ~]# ls -alZ /httpboot/
drwxr-xr-x. ironic ironic system_u:object_r:default_t:s0 .
dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
-rwxr-xr-x. root root system_u:object_r:default_t:s0 agent.kernel
-rw-r--r--. root root system_u:object_r:default_t:s0 agent.ramdisk
-rw-r--r--. ironic-inspector ironic-inspector system_u:object_r:default_t:s0 inspector.ipxe
And resetting it again:
[root@podir011 ~]# chcon -t httpd_sys_content_t /httpboot/ -R
[root@podir011 ~]# ls -alZ /httpboot/
drwxr-xr-x. ironic ironic system_u:object_r:httpd_sys_content_t:s0 .
dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
-rwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 agent.kernel
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 agent.ramdisk
-rw-r--r--. ironic-inspector ironic-inspector system_u:object_r:httpd_sys_content_t:s0 inspector.ipxe
[root@podir011 ~]#
Environment
Red Hat OpenStack Platform 10
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
