Bug 1144539

Summary: selinux preventing Horizon access (IceHouse, CentOS 7)
Product: [Community] RDO Reporter: Yaniv Kaul <mykaul>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED EOL QA Contact: Ofer Blaut <oblaut>
Severity: high Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: srevivo, whayutin
Target Milestone: ---   
Target Release: Icehouse   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-19 15:54:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yaniv Kaul 2014-09-19 16:54:45 UTC 
Trying to login to Horizon fails, when selinux is in Enforcing mode. Switching to permissive solves it. I haven't seen it in CentOS 6.5 or earlier IceHouse releases, so possibly a regression.
CLI commands work ('nova list' for example)

audit.log :
type=AVC msg=audit(1411063019.099:1848): avc:  denied  { name_connect } for  pid=5684 comm="httpd" dest=8776 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket


getenforce Permissive solved it.

[root@lgdrm403 httpd(keystone_admin)]# rpm -qa |grep -E "openstack|selinux"
openstack-utils-2014.1-3.el7.noarch
selinux-policy-targeted-3.12.1-153.el7_0.10.noarch
openstack-nova-cert-2014.1.2-1.el7.centos.noarch
python-django-openstack-auth-1.1.5-1.el7.noarch
libselinux-2.2.2-6.el7.x86_64
openstack-glance-2014.1.2-4.el7.centos.noarch
openstack-packstack-puppet-2014.1.1-0.28.dev1238.el7.noarch
openstack-nova-novncproxy-2014.1.2-1.el7.centos.noarch
openstack-dashboard-2014.1.2-2.el7.centos.noarch
openstack-cinder-2014.1-2.el7.noarch
libselinux-utils-2.2.2-6.el7.x86_64
openstack-nova-console-2014.1.2-1.el7.centos.noarch
openstack-keystone-2014.1.2.1-1.el7.centos.noarch
libselinux-python-2.2.2-6.el7.x86_64
openstack-puppet-modules-2014.1-23.el7.noarch
libselinux-ruby-2.2.2-6.el7.x86_64
openstack-nova-api-2014.1.2-1.el7.centos.noarch
openstack-nova-compute-2014.1.2-1.el7.centos.noarch
openstack-nova-conductor-2014.1.2-1.el7.centos.noarch
openstack-nova-scheduler-2014.1.2-1.el7.centos.noarch
openstack-packstack-2014.1.1-0.28.dev1238.el7.noarch
selinux-policy-3.12.1-153.el7_0.10.noarch
openstack-selinux-0.5.15-1.el7ost.noarch
openstack-nova-common-2014.1.2-1.el7.centos.noarch
openstack-nova-network-2014.1.2-1.el7.centos.noarch



May be a dup of https://bugzilla.redhat.com/show_bug.cgi?id=1084918 ?
Comment 2 Mike McCune 2016-03-28 22:55:34 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 3 Chandan Kumar 2016-05-19 15:54:27 UTC 
This bug is against a Version which has reached End of Life.
If it's still present in supported release (http://releases.openstack.org), please update Version and reopen.