Description of problem: When running the OpenStack Dashboard and OpenStack Identity Service on the same machine, under 6x, using the repo at http://repos.fedorapeople.org/repos/openstack/openstack-havana/rdo-release-havana-6.noarch.rpm, login at the dashboard errors with "unauthorised". This is because selinux (mode=enforcing), with the openstack-selinux package installed correctly (openstack-selinux-0.1.3-2.el6ost.noarch) is denying the request from the dashboard (httpd process) to communicate to the identity service on port 5000: type=AVC msg=audit(1388999124.442:109): avc: denied { name_connect } for pid=1954 comm="httpd" dest=5000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1388999124.442:109): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7f129482d770 a2=10 a3=f items=0 ppid=1927 pid=1954 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) If selinux is disabled, login works successfully. Version-Release number of selected component (if applicable): 6x How reproducible: Every time Steps to Reproduce: 1. Install OpenStack following the official documentation: http://docs.openstack.org/trunk/install-guide/install/yum/content/ch_preface.html 2. At section 7, "Install the Dashboard" try to login Actual results: Login does not work, erroring with "unauthorised" Expected results: Login succeeds, entering the user into the dashboard Additional info:
Can you confirm if you still see this behavior with the latest Havana RDO packages?
Can you attach the full /var/log/audit/audit.log file? Also, test again in permissive (setenforce 0) so I can see all the denials because there may be more.
We have tunable_policy(`httpd_use_openstack',` corenet_tcp_connect_keystone_port(httpd_sys_script_t) corenet_tcp_connect_all_ephemeral_ports(httpd_t) corenet_tcp_connect_glance_port(httpd_sys_script_t) corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t) ') tunable_policy(`httpd_use_openstack',` corenet_tcp_connect_osapi_compute_port(httpd_t) ') so we need to add additional rules.
Actually we have tunable_policy(`httpd_use_openstack',` corenet_tcp_connect_commplex_port(httpd_sys_script_t) corenet_tcp_connect_glance_port(httpd_sys_script_t) ') in RHEL6. Which scripts does it cause?
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days