Bug 1306525

Summary: Nova - Glance communication denied by selinux
Product: Red Hat OpenStack Reporter: Maxim Babushkin <mbabushk>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED ERRATA QA Contact: Alexander Stafeyev <astafeye>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0 (Liberty)CC: jschluet, lhh, mgrepl, oblaut, rbiba, webdesigner, yeylon
Target Milestone: ga   
Target Release: 8.0 (Liberty)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.6.53-1.el7ost Doc Type: Bug Fix
Doc Text:
Previously, when nova was trying to retrieve a list of glance images, SELinux prevented that, and nova failed with an "Unexpected API Error". This update allows nova to communicate with glance. As a result, nova can now list glance images.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-07 21:28:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Setroubleshooter.log none

Description Maxim Babushkin 2016-02-11 07:48:47 UTC 
Created attachment 1123090 [details]
Setroubleshooter.log

Description of problem:
Nova - Glance communication denied by selinux

Package information:
* openstack-selinux-0.6.41-1.el7.noarch
* openstack-glance-11.0.1-2.el7.noarch
* openstack-nova-compute-12.0.1-1.el7.noarch

The installation was made from the RDO on the Liberty version. All in one.

Version-Release number of selected component (if applicable):
8

How reproducible:
100%

Steps to Reproduce:
1. Install glance and nova service.
2. Upload test image to glance.
3. Run 'nova image-list' command.

Actual results:
'nova image-list' command return an "Unexpected API Error".

ERROR (ClientException): Unexpected API Error. Please report this at http://bugs.launchpad.net/nova/ and attach the Nova API log if possible.
<class 'glanceclient.exc.HTTPInternalServerError'> (HTTP 500) (Request-ID: req-58690167-8667-47bf-874a-eb2cf5579c83)

The audit log:
type=AVC msg=audit(1455113474.656:285): avc:  denied  { name_connect } for  pid=3197 comm="glance-registry" dest=5000 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket

*** See attached file of the setroubleshooter.

Expected results:
Should provide the list of uploaded images.

Additional info:
The command 'glance image-list' works correctly, and provides the list of uploaded images.
Comment 4 Alexander Stafeyev 2016-03-01 09:43:39 UTC 
[root@overcloud-controller-0 ~]# nova image-list
+--------------------------------------+--------+--------+--------+
| ID                                   | Name   | Status | Server |
+--------------------------------------+--------+--------+--------+
| ea5007df-5931-4323-bd95-83250eae3295 | cirros | ACTIVE |        |
+--------------------------------------+--------+--------+--------+
[root@overcloud-controller-0 ~]# 



[root@overcloud-controller-0 ~]# rpm -qa | grep tack-seli
openstack-selinux-0.6.55-1.el7ost.noarch
Comment 5 webdesigner 2016-03-24 09:54:51 UTC 
# cat /var/log/audit/audit.log | grep glance
ype=AVC msg=audit(1458812176.200:22528): avc:  denied  { name_connect } for  pid=49438 comm="glance-registry" dest=5000 scontext=system_u:system_r:glance_registry_t:s0 t
context=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket


# yum install setroubleshoot

# sealert -a /var/log/audit/audit.log > ~/sealert.log
# grep glance-registry /var/log/audit/audit.log | audit2allow -M glance-registry-pol
# semodule -i glance-registry-pol.pp

this works for me
Comment 6 errata-xmlrpc 2016-04-07 21:28:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0603.html