Bug 1130212

Summary: [CISCO RHEL-OSP] Glance image upload after integrating ceph failing because of selinux
Product: Red Hat OpenStack Reporter: satya routray <satroutr>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED ERRATA QA Contact: Yogev Rabl <yrabl>
Severity: high Docs Contact:
Priority: high    
Version: 5.0 (RHEL 7)CC: ajeain, bhouser, dwalsh, eglynn, fpercoco, fty, lhh, mgrepl, sclewis, scohen, sgordon, yeylon, yihleong.sun
Target Milestone: z1Keywords: ZStream
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.5.15-2.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-30 18:02:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1154145, 1154162, 1154159    
Attachments:
Description Flags
/var/log/messages from the server
none
/var/log/audit/ from the server none

Description satya routray 2014-08-14 14:35:28 UTC
Description of problem:
Glance image upload after integrating ceph failing because of selinux

Version-Release number of selected component (if applicable):
[root@cvf13-server-5 ~(keystone_admin)]# glance --version
0.13.1

How reproducible:
setup the openstack nodes
setup the ceph nodes
integrate Glance to use the ceph nodes to store images

Actual results:
It fails with 500(internal server error)
from glance api.log
2014-08-12 17:16:18.973 32444 ERROR glance.api.v1.upload_utils [-] Failed to upload image 3b1fbd0a-0717-4983-bf8b-67263d73dad7
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils Traceback (most recent call last):
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils   File "/usr/lib/python2.7/site-packages/glance/api/v1/upload_utils.py", line 99, in upload_data_to_store
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils     store)
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils   File "/usr/lib/python2.7/site-packages/glance/store/__init__.py", line 380, in store_add_to_backend
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils     (location, size, checksum, metadata) = store.add(image_id, data, size)
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils   File "/usr/lib/python2.7/site-packages/glance/store/rbd.py", line 319, in add
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils     with rados.Rados(conffile=self.conf_file, rados_id=self.user) as conn:
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils   File "/usr/lib/python2.7/site-packages/rados.py", line 208, in __init__
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils     self.librados = CDLL(librados_path)
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils   File "/usr/lib64/python2.7/ctypes/__init__.py", line 360, in __init__
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils     self._handle = _dlopen(self._name, mode)
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils OSError: librados.so.2: cannot enable executable stack as shared object requires: Permission denied

Expected results:
Upload should work fine

Additional info:

Comment 2 satya routray 2014-08-14 16:06:02 UTC
the ceph cluster we are using is inktank ceph cluster

root@cvf13-server-247:~ # ceph -v
ceph version 0.80.4-1-g67b5193 (67b5193f73a2c9ec9e503ad3431473998217375d)

Comment 3 Britt Houser 2014-08-14 16:26:26 UTC
Created attachment 926858 [details]
/var/log/messages from the server

Comment 4 Britt Houser 2014-08-14 16:26:57 UTC
Created attachment 926859 [details]
/var/log/audit/ from the server

Comment 5 Flavio Percoco 2014-08-19 07:39:32 UTC
@Daniel Do you know OTOH what rule might be missing?

Comment 6 Daniel Walsh 2014-08-19 20:30:58 UTC
$ audit2allow -i *


#============= glance_api_t ==============

#!!!! This avc can be allowed using the boolean 'glance_use_execmem'
allow glance_api_t self:process { execstack execmem };
dwalsh@redsox$

Comment 7 Flavio Percoco 2014-08-20 09:03:26 UTC
Moving to openstack-selinux since this needs to be enabled there.

Comment 10 Britt Houser 2014-09-05 02:53:09 UTC
Looks like maybe fix has been identified.  Is this something we can apply manually as opposed to turning selinux off wholesale?

Comment 12 Lon Hohberger 2014-09-17 14:50:15 UTC
That boolean isn't available yet, so I'm adding the execmem/execstack allow rule for now.

Comment 13 Lon Hohberger 2014-09-17 14:51:16 UTC
[root@localhost tests]# getsebool -a | grep glance
glance_use_fusefs --> on
[root@localhost tests]# rpm -q selinux-policy
selinux-policy-3.12.1-153.el7_0.10.noarch

Comment 15 Yogev Rabl 2014-09-22 15:42:39 UTC
verified, the boolean has changed.

Comment 17 errata-xmlrpc 2014-09-30 18:02:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1325.html