Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-2612

Installer should add proper SELinux rules for containerised deployments

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Description

      Installer (or further execution of the pods) of AAP2.5 containerised deployment does alters SELinux context of many files and directories. This causes issues when one wants to fix some SELinux issue and executes `restorecon -R -F -v` also on `~aap/.local/share/containers` folder (asuming `aap` is the AAP2.5 user).

      Steps to Reproduce

      1) Install AAP2.5 in a containerised deployment. Either with a user with a "traditional" home (like /home/aap) or on some alternate-but-meaningfull home (like /var/lib/aap where default SELinux label isn't `user_home_dir_t` but `var_lib_t`).

      2) run `restorecon -R -F ~aap/.local/share/containers` (assuming `aap` is the deployment's user).

      3) Restart the user's services or reboot the system.

      Actual Behavior

      3) ends up with errors like:

      Oct 31 09:13:07 aap25containers automation-hub-api[22889]: /bin/bash: error while loading shared libraries: libtinfo.so.6: cannot change memory protections 

Oct 31 09:13:16 aap25containers automation-controller-rsyslog[19580]: /usr/bin/dumb-init: error while loading shared libraries: libc.so.6: cannot change memory protections

Oct 31 09:21:16 aap25containers automation-eda-api[23109]: /usr/bin/dumb-init: error while loading shared libraries: libc.so.6: cannot change memory protections

      or like:

      Nov 03 12:49:25 aap25containers automation-eda-api[515754]: PermissionError: [Errno 13] Permission denied: '/etc/eda/SECRET_KEY'
..
Nov 03 12:49:25 aap25containers setroubleshoot[505899]: SELinux is preventing /usr/bin/python3.11 from read access on the file eda_secret_key. For complete SELinux messages run: sealert -l 9f68aa69-f025-4150-87b6-18efbda5d083

      both for many user's services. Most of AAP functionality is down. Relevant AVCs present in audit logs.

      Expected Behavior

      Regardless where the home is (and hence regardless what the default context of the home dir would be), the deployment must "survive" forceful relabel of the containers dir. All services must continue in operation, no AVCs.

      Additional Context

      Two KCS solutions can be used as an idea of a fix (maybe incompete but at least a good start):

      https://access.redhat.com/solutions/7133297
      https://access.redhat.com/solutions/7087659

              dysilva Dylan Silva
              rhn-support-pmoravec Pavel Moravec
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: