Bug 1306525
Summary: | Nova - Glance communication denied by selinux | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Maxim Babushkin <mbabushk> | ||||
Component: | openstack-selinux | Assignee: | Ryan Hallisey <rhallise> | ||||
Status: | CLOSED ERRATA | QA Contact: | Alexander Stafeyev <astafeye> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 8.0 (Liberty) | CC: | jschluet, lhh, mgrepl, oblaut, rbiba, webdesigner, yeylon | ||||
Target Milestone: | ga | ||||||
Target Release: | 8.0 (Liberty) | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | openstack-selinux-0.6.53-1.el7ost | Doc Type: | Bug Fix | ||||
Doc Text: |
Previously, when nova was trying to retrieve a list of glance images, SELinux prevented that, and nova failed with an "Unexpected API Error". This update allows nova to communicate with glance. As a result, nova can now list glance images.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-04-07 21:28:10 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Maxim Babushkin
2016-02-11 07:48:47 UTC
[root@overcloud-controller-0 ~]# nova image-list +--------------------------------------+--------+--------+--------+ | ID | Name | Status | Server | +--------------------------------------+--------+--------+--------+ | ea5007df-5931-4323-bd95-83250eae3295 | cirros | ACTIVE | | +--------------------------------------+--------+--------+--------+ [root@overcloud-controller-0 ~]# [root@overcloud-controller-0 ~]# rpm -qa | grep tack-seli openstack-selinux-0.6.55-1.el7ost.noarch # cat /var/log/audit/audit.log | grep glance ype=AVC msg=audit(1458812176.200:22528): avc: denied { name_connect } for pid=49438 comm="glance-registry" dest=5000 scontext=system_u:system_r:glance_registry_t:s0 t context=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket # yum install setroubleshoot # sealert -a /var/log/audit/audit.log > ~/sealert.log # grep glance-registry /var/log/audit/audit.log | audit2allow -M glance-registry-pol # semodule -i glance-registry-pol.pp this works for me Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0603.html |