Bug 826674
| Summary: | [abrt] openstack-glance-2012.1-4.fc17: client.py:549:_do_request:ServerError: The request returned 500 Internal Server Error | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Busby <d.busby> | ||||
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 17 | CC: | akscram, alexander.sakhnov, asalkeld, bfilippov, breu, dwalsh, Jan.van.Eldik, jonathansteffan, markmc, matt_domsch, mlvov, pbrady, p, rbryant, rkukura | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | abrt_hash:34cb03fcfec31b3543efbc5ea91bef4fb72709a5 | ||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-06-17 00:05:02 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
David Busby
2012-05-30 18:16:36 UTC
Created attachment 587796 [details]
File: backtrace
I've been doing some futher investgaiton and I can say this is due to selinux,
$> sudo setenforce 0
$> glance index
$>
---
type=AVC msg=audit(1338399689.454:257): avc: denied { read } for pid=7917 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1338399689.461:258): avc: denied { read } for pid=7920 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1338399689.493:259): avc: denied { execute } for pid=7926 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1338399689.494:260): avc: denied { execute } for pid=7928 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1338399689.496:261): avc: denied { execute } for pid=7929 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1338399689.498:262): avc: denied { execute } for pid=7930 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1338400844.863:552): avc: denied { read } for pid=10772 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1338400844.869:553): avc: denied { read } for pid=10774 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1338400844.996:554): avc: denied { execute } for pid=10784 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1338400844.998:555): avc: denied { execute } for pid=10785 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1338400845.001:556): avc: denied { execute } for pid=10786 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1338400845.005:557): avc: denied { execute } for pid=10788 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1338400852.211:558): avc: denied { name_connect } for pid=10771 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1338400946.881:610): avc: denied { read } for pid=11132 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1338400946.887:611): avc: denied { read } for pid=11135 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1338400947.013:612): avc: denied { execute } for pid=11145 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1338400947.020:613): avc: denied { execute } for pid=11146 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1338400947.022:614): avc: denied { execute } for pid=11149 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1338400947.024:615): avc: denied { execute } for pid=11150 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1338400963.049:616): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1338401351.939:625): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1338402425.722:633): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1338402829.487:634): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1338402880.130:635): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1338403413.798:647): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1338403483.311:664): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1338403496.166:670): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1338403565.434:676): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
---
will run it through audit2allow to generate polcies and update this ticket with the result shortly
--- grep glance /var/log/audit/audit.log | grep denied | audit2allow WARNING: Policy would be downgraded from version 27 to 26. #============= glance_api_t ============== allow glance_api_t passwd_file_t:file read; #============= glance_registry_t ============== allow glance_registry_t ephemeral_port_t:tcp_socket name_connect; allow glance_registry_t shell_exec_t:file execute; grep glance /var/log/audit/audit.log | grep denied | audit2allow -M openstack-glance WARNING: Policy would be downgraded from version 27 to 26. ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i openstack-glance.pp semodule -i openstack-glance.pp --- This resolves the immediate issue, however I do not know enough about SELinux at this time to interpret the Warning message about the downgrade, I can however confirm going through this process allows glance index to function. Fixed in selinux-policy-3.10.0-129.fc17 selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17 Package selinux-policy-3.10.0-130.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |