selinux not getting set to disabled on NCs

eucalyptus / calyptos

Tool for Managing Eucalyptus

BSD 2-Clause "Simplified" License

5 stars 14 forks source link

selinux not getting set to disabled on NCs #44

Open dmccue opened 9 years ago

dmccue commented 9 years ago

Multiple causes:

selinux can't be fully disabled unless a reboot is initiated (CentOS behavior)
service eucalyptus-nc won't start if selinux is in any other mode other than disabled

calyptos environment - http://pastebin.com/GSu6h9T0 chef logs - http://pastebin.com/RRWUKvy5

sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: disabled Policy version: 24 Policy from config file: targeted

Tried: echo 0 > /selinux/enforce

Solution: Can eucalyptus-nc be run in permissive mode, otherwise we could update calyptos to initiate a reboot during the prepare stage prior to installation

viglesiasce commented 9 years ago

@dmccue

The epic for Euca getting SELinux support is here: https://eucalyptus.atlassian.net/browse/EUCA-10478

The first cut will definitely be getting the NC hardened as that is the most vulnerable.

As for SELinux not being fully disabled, Im guessing this is new behavior since CentOS 6.7 as we havent run into this before and the cookbook explicitly sets it off here https://github.com/eucalyptus/eucalyptus-cookbook/blob/euca-4.2/recipes/default.rb#L61 and I can see those steps running in the logs you posted.

Ill try to reproduce and see if there is anything we can do on the Euca side before full SELinux support, if not your suggestion seems spot on. Are those machines still around perchance?

Thanks!

viglesiasce commented 9 years ago

@dmccue is this still happening on the latest runs? If so, was the fix always to reboot?

dmccue commented 9 years ago

PRC comes with selinux set to disabled, ill set it to enabled and verify the behavior

[root@odc-f-09 ~]# getenforce
Disabled

mbacchi commented 9 years ago

@viglesiasce I believe the current behavior (nc not starting unless selinux=disabled) may have been exacerbated/caused by my fix for EUCA-10804, commit 3ecb48. Where as in the past it didn't actually fail to start, but it may have failed down the line when things didn't function properly due to selinux enablement.

By the way @dmccue, the command we use to verify if it is enabled is /usr/sbin/selinuxenabled, which should return 1 if disabled.

I'm not a fan of rebooting the target machines during calyptos execution, maybe calyptos can check status and if still enabled, instruct the user to reboot after we have run the chef recipe to disable it.