Bug 1376288

Summary:	rhel-osp-director: Introspection fails on VM environment due to selinux: avc: denied { getattr } for pid=21038 comm="httpd" path="/httpboot/inspector.ipxe"
Product:	Red Hat OpenStack	Reporter:	Alexander Chuzhoy <sasha>
Component:	puppet-ironic	Assignee:	Lukas Bezdicka <lbezdick>
Status:	CLOSED ERRATA	QA Contact:	Dmitry Tantsur <dtantsur>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	10.0 (Newton)	CC:	afazekas, dbecker, dtantsur, jcoufal, jjoyce, jschluet, jslagle, kbasil, lbezdick, lhh, lmartins, mburns, mcornea, mgrepl, morazi, rhel-osp-director-maint, slinaber, srevivo, tvignaud
Target Milestone:	beta	Keywords:	Triaged
Target Release:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	puppet-ironic-9.2.0-0.20160905145838.d14c611.1.el7ost	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-12-14 16:02:13 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Alexander Chuzhoy 2016-09-15 04:09:06 UTC

rhel-osp-director: Introspection fails on VM environment due to selinux: avc:  type=AVC msg=audit(1473911455.239:3068): avc:  denied  { getattr } for  pid=21038 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file


Environment:
openstack-ironic-inspector-4.1.1-0.20160906074601.0276422.el7ost.noarch
openstack-ironic-common-6.1.1-0.20160907120305.0acdfca.el7ost.noarch
libselinux-2.5-4.el7.x86_64
selinux-policy-targeted-3.13.1-93.el7.noarch
python-ironic-inspector-client-1.9.0-0.20160902092624.6364bc9.el7ost.noarch
openstack-selinux-0.7.7-1.el7ost.noarch
openstack-ironic-conductor-6.1.1-0.20160907120305.0acdfca.el7ost.noarch
instack-undercloud-5.0.0-0.20160907134010.649dc3f.el7ost.noarch
python-ironic-tests-6.1.1-0.20160907120305.0acdfca.el7ost.noarch
openstack-ironic-api-6.1.1-0.20160907120305.0acdfca.el7ost.noarch
python-ironic-lib-2.1.0-0.20160829084617.52b2d2f.el7ost.noarch
selinux-policy-3.13.1-93.el7.noarch
libselinux-ruby-2.5-4.el7.x86_64
puppet-ironic-9.2.0-0.20160905145838.d14c611.el7ost.noarch
python-ironicclient-1.7.0-0.20160902094012.464044f.el7ost.noarch
libselinux-utils-2.5-4.el7.x86_64
libselinux-python-2.5-4.el7.x86_64


Steps to reproduce:
1. Deploy undercloud, import images, register nodes.
2. Attempt to introspect the registered nodes.

Result:
The introspection times out.

I see AVC in /var/log/audit/audit.log:
type=AVC msg=audit(1473911422.364:2833): avc:  denied  { getattr } for  pid=21037 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911428.045:2933): avc:  denied  { getattr } for  pid=21035 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911428.046:2934): avc:  denied  { getattr } for  pid=21035 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911433.193:3001): avc:  denied  { getattr } for  pid=21041 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911433.193:3002): avc:  denied  { getattr } for  pid=21041 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911437.381:3060): avc:  denied  { getattr } for  pid=21036 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911437.381:3061): avc:  denied  { getattr } for  pid=21036 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911442.046:3062): avc:  denied  { getattr } for  pid=21888 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911442.046:3063): avc:  denied  { getattr } for  pid=21888 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911445.885:3064): avc:  denied  { getattr } for  pid=21883 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911445.885:3065): avc:  denied  { getattr } for  pid=21883 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911450.365:3066): avc:  denied  { getattr } for  pid=22049 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911450.365:3067): avc:  denied  { getattr } for  pid=22049 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911455.239:3068): avc:  denied  { getattr } for  pid=21038 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911455.240:3069): avc:  denied  { getattr } for  pid=21038 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file



w/a:
run setenforce 0 on the undercloud before running introspection.

Comment 2 Ryan Hallisey 2016-09-15 17:25:36 UTC

The fix should be a restorecon.

restorecon -Rv /httpboot

Comment 3 Mike Burns 2016-09-16 11:04:42 UTC

*** Bug 1376750 has been marked as a duplicate of this bug. ***

Comment 4 Attila Fazekas 2016-09-16 11:12:09 UTC

Likely the issue is in the puppet-ironic, or whatever created the file with wrong context is the responsible component.

Comment 5 James Slagle 2016-09-20 17:54:59 UTC

moving back to ON_DEV as this is not yet committed downstream. see https://mojo.redhat.com/docs/DOC-1081437 for info about bugzilla states.

Comment 6 Jon Schlueter 2016-09-20 18:56:31 UTC

Steve Linabery confirmed this build allows the introspection phase to succeed

Comment 8 Dmitry Tantsur 2016-10-17 07:46:36 UTC

Happened to test this on Friday with the latest puddle, introspection works just fine.

Comment 11 errata-xmlrpc 2016-12-14 16:02:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html