Bug 1249788
Summary: | OpenStack is prevented from connecting to Nova by SELinux (port 8774) | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Jan Hutař <jhutar> |
Component: | SELinux | Assignee: | Lukas Zapletal <lzap> |
Status: | CLOSED ERRATA | QA Contact: | Kedar Bidarkar <kbidarka> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.1.0 | CC: | bbuckingham, bkearney, chpeters, kbidarka |
Target Milestone: | Unspecified | Keywords: | Triaged |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-10-15 18:20:29 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Hutař
2015-08-03 20:21:48 UTC
Looks like there is same issue when creating OpenStack compute-resource: # hammer --username admin --password changeme compute-resource create --name 'openstack' --provider Openstack --url 'http://<openstack>:5000/v2.0/tokens' --user '<user>' --password '<pass>' --tenant '<tenant>' --organization-ids 1 --location-ids 2 type=SYSCALL msg=audit(1438741007.135:462): arch=c000003e syscall=42 success=no exit=-115 a0=f a1=aed95f0 a2=10 a3=5898 items=0 ppid=1 pid=3112 auid=4294967295 uid=497 gid=496 euid=497 suid=497 fsuid=497 egid=496 sgid=496 fsgid=496 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1438741007.135:462): avc: denied { name_connect } for pid=3112 comm="ruby" dest=8774 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket This is fatal on RHEL7 - creating OpenStack compute resource fails with SELinux in Enforcing. This should have been solved with https://bugzilla.redhat.com/show_bug.cgi?id=1249788 Sorry I meant https://bugzilla.redhat.com/show_bug.cgi?id=1136991 Verified we are now able to add openstack compute resource without disabling selinux. 2015-10-07 12:43:50 [I] Processing by ComputeResourcesController#provider_selected as HTML 2015-10-07 12:43:50 [I] Parameters: {"provider"=>"Openstack"} 2015-10-07 12:43:51 [I] Rendered compute_resources/form/_openstack.html.erb (222.2ms) 2015-10-07 12:43:51 [I] Rendered taxonomies/_loc_org_tabs.html.erb (18.5ms) 2015-10-07 12:43:51 [I] Rendered compute_resources/_form.html.erb (256.9ms) 2015-10-07 12:43:51 [I] Completed 200 OK in 324ms (Views: 257.6ms | ActiveRecord: 7.1ms) 1 ~]# getenforce Enforcing VERIFIED with Satellite-6.1.0-RHEL-7-20151006.1 on RHEL7 VERIFIED with Satellite-6.1.0-RHEL-6-20151006.0 on RHEL6 too. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2015:1911 |