Bug 1049091

Summary: openstack-selinux blocks communication from dashboard to identity service
Product: [Community] RDO Reporter: Tom Fifield <tom>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED CURRENTRELEASE QA Contact: Ofer Blaut <oblaut>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: lars, mgrepl, tom, yeylon
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-30 23:00:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tom Fifield 2014-01-07 01:02:50 UTC 
Description of problem:

When running the OpenStack Dashboard and OpenStack Identity Service on the same machine, under 6x, using the repo at http://repos.fedorapeople.org/repos/openstack/openstack-havana/rdo-release-havana-6.noarch.rpm, login at the dashboard errors with "unauthorised".

This is because selinux (mode=enforcing), with the openstack-selinux package installed correctly (openstack-selinux-0.1.3-2.el6ost.noarch) is denying the request from the dashboard (httpd process) to communicate to the identity service on port 5000:

type=AVC msg=audit(1388999124.442:109): avc: denied { name_connect } for pid=1954 comm="httpd" dest=5000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1388999124.442:109): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7f129482d770 a2=10 a3=f items=0 ppid=1927 pid=1954 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

If selinux is disabled, login works successfully.

Version-Release number of selected component (if applicable):
6x

How reproducible:
Every time

Steps to Reproduce:
1. Install OpenStack following the official documentation: http://docs.openstack.org/trunk/install-guide/install/yum/content/ch_preface.html
2. At section 7, "Install the Dashboard" try to login

Actual results:
Login does not work, erroring with "unauthorised"


Expected results:
Login succeeds, entering the user into the dashboard

Additional info:
Comment 1 Lars Kellogg-Stedman 2014-02-10 19:03:04 UTC 
Can you confirm if you still see this behavior with the latest Havana RDO packages?
Comment 2 Ryan Hallisey 2014-04-23 15:18:37 UTC 
Can you attach the full /var/log/audit/audit.log file?  Also, test again in permissive (setenforce 0) so I can see all the denials because there may be more.
Comment 3 Miroslav Grepl 2014-05-02 10:30:04 UTC 
We have

tunable_policy(`httpd_use_openstack',`
    corenet_tcp_connect_keystone_port(httpd_sys_script_t)
    corenet_tcp_connect_all_ephemeral_ports(httpd_t)
    corenet_tcp_connect_glance_port(httpd_sys_script_t)
    corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
')

tunable_policy(`httpd_use_openstack',`
    corenet_tcp_connect_osapi_compute_port(httpd_t)
')


so we need to add additional rules.
Comment 4 Miroslav Grepl 2014-05-02 10:34:42 UTC 
Actually we have

tunable_policy(`httpd_use_openstack',`
    corenet_tcp_connect_commplex_port(httpd_sys_script_t)
    corenet_tcp_connect_glance_port(httpd_sys_script_t)
')

in RHEL6. 


Which scripts does it cause?
Comment 5 Red Hat Bugzilla 2023-09-14 01:56:34 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days