Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1695056 - Wrong SELinux context for /run/teamd/
Summary: Wrong SELinux context for /run/teamd/
Keywords:
Status: NEW
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: ---
Assignee: James Slagle
QA Contact: Arik Chernetsky
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-02 11:55 UTC by ojanas
Modified: 2019-04-03 07:55 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)

Description ojanas 2019-04-02 11:55:27 UTC
Description of problem:

When trying to deploy such a NIC configuration via tripleO template:

##### nic teaming config:

             - type: ovs_bridge
                name: bridge_name
                mtu: 9000
                members:
                - type: team
                  name: team0
                  bonding_options:
                    get_param: BondInterfaceOvsOptions
                  members:
                  - type: interface
                    name: nic2
                    mtu: 9000
                    primary: true
                  - type: interface
                    name: nic3
                    mtu: 9000
                  - type: interface
                    name: nic4
                    mtu: 9000
                  - type: interface
                    name: nic5
                    mtu: 9000

which results in this os-net-config:

"members":[  
            {  
               "bonding_options":"{\"runner\": {\"name\": \"lacp\", \"agg_select_policy\": \"lacp_prio\", \"active\": true, \"tx_balancer\": {\"name\": \"basic\"},  \"tx_hash\": [\"l4\"], \"fast_rate\": true }, \"link_watch\": {\"name\": \"ethtool\", \"delay_up\": 400, \"delay_down\": 200 }}",
               "members":[  
                  {  
                     "mtu":9000,
                     "name":"nic2",
                     "primary":true,
                     "type":"interface"
                  },
                  {  
                     "mtu":9000,
                     "name":"nic3",
                     "type":"interface"
                  },
                  {  
                     "mtu":9000,
                     "name":"nic4",
                     "type":"interface"
                  },
                  {  
                     "mtu":9000,
                     "name":"nic5",
                     "type":"interface"
                  }
               ],
               "name":"team0",
               "type":"team"
            }


The deployment fails:

2019-03-30 14:22:25Z [fr-east-1.Controller.0.NetworkDeployment]: SIGNAL_IN_PROGRESS  Signal: deployment 7be88774-6613-4e97-aa86-e648a982a2ea failed (1)
2019-03-30 14:22:26Z [fr-east-1.Controller.0.NetworkDeployment]: CREATE_FAILED  Error: resources.NetworkDeployment: Deployment to server failed: deploy_status_code : Deployment exited with non-zero status code: 1
2019-03-30 14:22:26Z [fr-east-1.Controller.0]: CREATE_FAILED  Resource CREATE failed: Error: resources.NetworkDeployment: Deployment to server failed: deploy_status_code : Deployment exited with non-zero status code: 1
2019-03-30 14:22:27Z [fr-east-1.Controller.0]: CREATE_FAILED  Error: resources[0].resources.NetworkDeployment: Deployment to server failed: deploy_status_code: Deployment exited with non-zero status code: 1
2019-03-30 14:22:27Z [fr-east-1.Controller]: UPDATE_FAILED  Resource CREATE failed: Error: resources[0].resources.NetworkDeployment: Deployment to server failed: deploy_status_code: Deployment exited with non-zero status code: 1
2019-03-30 14:22:28Z [fr-east-1.Controller]: CREATE_FAILED  resources.Controller: Resource CREATE failed: Error: resources[0].resources.NetworkDeployment: Deployment to server failed: deploy_status_code: Deployment exited with non-zero status code: 1
2019-03-30 14:22:28Z [fr-east-1]: CREATE_FAILED  Resource CREATE failed: resources.Controller: Resource CREATE failed: Error: resources[0].resources.NetworkDeployment: Deployment to server failed: deploy_status_code: Deployment exited with non-zero status code: 1

 Stack fr-east-1 CREATE_FAILED 


On the node, systemd fails to start the unit "teamd@team0.service"

[root@ctr0-fr-east-1 network-scripts]# systemctl status teamd@team0.serviceteamd@team0.service - Team Daemon for device team0
   Loaded: loaded (/usr/lib/systemd/system/teamd@.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sat 2019-03-30 06:36:48 EDT; 2min 0s ago
  Process: 32999 ExecStart=/usr/bin/teamd -U -D -o -t %i -f /run/teamd/%i.conf (code=exited, status=1/FAILURE)
 Main PID: 32999 (code=exited, status=1/FAILURE)

Mar 30 06:36:48 XXX systemd[1]: Starting Team Daemon for device team0...
Mar 30 06:36:48 XXX teamd[32999]: Failed to get absolute path of "/run/teamd/team0.conf": Permission denied
Mar 30 06:36:48 XXX systemd[1]: teamd@team0.service: main process exited, code=exited, status=1/FAILURE
Mar 30 06:36:48 XXX systemd[1]: Failed to start Team Daemon for device team0.
Mar 30 06:36:48 XXX systemd[1]: Unit teamd@team0.service entered failed state.
Mar 30 06:36:48 XXX systemd[1]: teamd@team0.service failed.
Version-Release number of selected component (if applicable):


We can observe /run/teamd has this SELinux context:

ls -Zd /run/teamd/
drwxr-xr-x. root root system_u:object_r:var_run_t:s0   /run/teamd/

We can observe this in audit log:

type=AVC msg=audit(1553955049.523:135): avc:  denied  { getattr } for  pid=32337 comm="teamd" path="/run/teamd/team0.conf" dev="tmpfs" ino=125425 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1553955049.523:135): arch=c000003e syscall=6 success=no exit=-13 a0=55a8769a17d0 a1=7ffe751eb1c0 a2=7ffe751eb1c0 a3=63 items=0 ppid=1 pid=32337 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="teamd" exe="/usr/bin/teamd" subj=system_u:system_r:NetworkManager_t:s0 key=(null)


When we restore the default selinux security context, teaming starts well:

# restorecon -Rv /run/teamd

restorecon reset /run/teamd context system_u:object_r:var_run_t:s0->system_u:object_r:NetworkManager_var_run_t:s0
restorecon reset /run/teamd/team0.conf context system_u:object_r:var_run_t:s0->system_u:object_r:NetworkManager_var_run_t:s0


# systemctl status teamd@team0.serviceteamd@team0.service - Team Daemon for device team0
   Loaded: loaded (/usr/lib/systemd/system/teamd@.service; static; vendor preset: disabled)
   Active: active (running) since Sat 2019-03-30 06:42:10 EDT; 37s ago
 Main PID: 34037 (teamd)
   CGroup: /system.slice/system-teamd.slice/teamd@team0.service
           └─34037 /usr/bin/teamd -U -D -o -t team0 -f /run/teamd/team0.conf

Mar 30 06:42:10 XXX systemd[1]: Starting Team Daemon for device team0...
Mar 30 06:42:10 XXX teamd[34037]: This program is not intended to be run as root.
Mar 30 06:42:10 XXX teamd[34037]: TX balancing enabled.
Mar 30 06:42:10 XXX teamd[34037]: Balancing interval 50.
Mar 30 06:42:10 XXX teamd[34037]: 1.27 successfully started.
Mar 30 06:42:10 XXX systemd[1]: Started Team Daemon for device team0.

After that when we update the stack, deployment goes well.


Actual results:

Wrong SELinux context

Expected results:

Correct SELinux context

Additional info:

Deployment command:

# openstack overcloud deploy \
        --stack XXX \
        --verbose \
        --templates /usr/share/openstack-tripleo-heat-templates \
        -n ~/templates/network_data.yaml \
        -r ~/templates/roles_data.yaml \
        -e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation.yaml \
        -e /usr/share/openstack-tripleo-heat-templates/environments/network-environment.yaml \
        -e /usr/share/openstack-tripleo-heat-templates/environments/enable-swap.yaml \
        -e /usr/share/openstack-tripleo-heat-templates/environments/swift-external.yaml \
        -e /usr/share/openstack-tripleo-heat-templates/environments/ceph-ansible/ceph-ansible.yaml \
        -e /usr/share/openstack-tripleo-heat-templates/environments/services-docker/cinder-backup.yaml \
        -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-internal-tls.yaml \
        -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-everywhere-endpoints-dns.yaml \
        -e ~/templates/environment-enabled/60-swift-external-endpoints.yaml \
        -e ~/templates/environment-enabled/10-ips-from-pool-all-OVS.yaml \
        -e ~/templates/environment-enabled/11-network-environment-override-OVS.yaml \
        -e /home/stack/templates/rhel-registration/environment-rhel-registration.yaml \
        -e /home/stack/templates/rhel-registration/rhel-registration-resource-registry.yaml \
        -e ~/templates/overcloud_images.yaml \
        --environment-directory ~/templates/environment-enabled \
        --timeout 180


Note You need to log in before you can comment on or make changes to this bug.