Bug 978568

Summary: Horizon needs setsebool for httpd, missing from packstack puppet modules
Product: Red Hat OpenStack Reporter: Jordan OMara <jomara>
Component: openstack-foreman-installerAssignee: Jordan OMara <jomara>
Status: CLOSED ERRATA QA Contact: Nir Magnezi <nmagnezi>
Severity: high Docs Contact:
Priority: high    
Version: 3.0CC: athomas, bperkins, jomara, rhos-maint, sclewis, sgordon
Target Milestone: async   
Target Release: 3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ruby193-openstack-foreman-installer-0.0.18-2.el6ost Doc Type: Bug Fix
Doc Text:
When deploying the Dashboard (Horizon) Foreman was not importing all required Puppet modules. As a result an SELinux boolean required to allow the web server (httpd) to run with SELinux set to enforcing mode was not set correctly. The additional Puppet modules are now included and httpd is able to run when SELinux is set to enforcing mode on new deployments performed using Foreman.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-10 15:42:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jordan OMara 2013-06-26 20:04:51 UTC 
Foreman imports packstack-puppet-modules RPM, which do not actually contain all of the puppet code necessary to finish setting up horizon. Namely, it is missing a setsebool that allows httpd to run in ENFORCING mode

Fix: add the necessary changes to the foreman installer for proper ENFORCING mode on horizon host
Comment 2 Nir Magnezi 2013-07-07 09:44:24 UTC 
(In reply to Jordan OMara from comment #0)
> Foreman imports packstack-puppet-modules RPM, which do not actually contain
> all of the puppet code necessary to finish setting up horizon. Namely, it is
> missing a setsebool that allows httpd to run in ENFORCING mode
> 
> Fix: add the necessary changes to the foreman installer for proper ENFORCING
> mode on horizon host

I'm missing some info regarding this fix.
1. Where is this boolean located? (What was added exactly? a file? a line in a file? a package?) 
2. Can you provide a URL for the fix commit?
Comment 3 Jordan OMara 2013-07-09 13:06:37 UTC 
Verified : 
ruby193-openstack-foreman-installer-0.0.18-2.el6ost.x86_64

[root@virtlab-cloud-13 ~]# getsebool httpd_can_network_connect
httpd_can_network_connect --> on

&& horizon works in ENFORCING mode after policy installation


@nir : 
upstream commit: https://github.com/jsomara/astapor/commit/1de29090a96387a5291c6fef40c248cf321c7a39 
uses puppet to manually flip the selinux bool
Comment 5 errata-xmlrpc 2013-07-10 15:42:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1020.html