Bug 1105357

Summary: Keystone cannot send notifications
Product: [Community] RDO Reporter: Adam Young <ayoung>
Component: openstack-selinuxAssignee: RHOS Maint <rhos-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Ofer Blaut <oblaut>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: mgrepl, mmalik, rhallise, yeylon
Target Milestone: ---Flags: mmalik: needinfo?
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1105579 (view as bug list) Environment:
Last Closed: 2016-03-30 23:02:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1105579    
Attachments:
Description Flags
audit log none

Description Adam Young 2014-06-06 00:01:50 UTC 
Description of problem:

Keystone is not set up from a packstack run to deliver notifications. Attempting to do so trips over SELinux denying access to the RabbitMQ port.



Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:

Edit /etc/keystone/Keystone.conf

set 

notification_driver=nova.openstack.common.notifier.rpc_notifier

(should not be a nova specific value, but this works)

But then Notification causes command to hang

in /etc/keystone/Keystone.log
AMQP server on localhost:5672 is unreachable:


Need an SELinux policy change to let Keystone write to port 5672


2014-06-05 19:53:09.381 25222 ERROR oslo.messaging._drivers.impl_rabbit [-] AMQP server on 192.168.187.26:5672 is unreachable: [Errno 13] EACCES. Trying again in 11 seconds.

Set permissive got it through.
Comment 1 Adam Young 2014-06-06 14:59:40 UTC 
Created attachment 902950 [details]
audit log

type=AVC msg=audit(1402012459.925:68081): avc:  denied  { name_connect } for  pid=25341 comm="keystone-all" dest=5672 scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
Comment 2 Miroslav Grepl 2014-06-09 13:53:42 UTC 
commit b77d9519cdd72090bf8d12a702730388027b9679
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jun 9 15:49:36 2014 +0200

    Allow keystone to connect to additional ports to make OpenStack working


Added to Fedora/RHEL7.1.