1049091 – openstack-selinux blocks communication from dashboard to identity service

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1049091 - openstack-selinux blocks communication from dashboard to identity service

Summary: openstack-selinux blocks communication from dashboard to identity service

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-selinux
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Ryan Hallisey
QA Contact:	Ofer Blaut
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-01-07 01:02 UTC by Tom Fifield
Modified:	2023-09-14 01:56 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-03-30 23:00:11 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tom Fifield 2014-01-07 01:02:50 UTC

Description of problem:

When running the OpenStack Dashboard and OpenStack Identity Service on the same machine, under 6x, using the repo at http://repos.fedorapeople.org/repos/openstack/openstack-havana/rdo-release-havana-6.noarch.rpm, login at the dashboard errors with "unauthorised".

This is because selinux (mode=enforcing), with the openstack-selinux package installed correctly (openstack-selinux-0.1.3-2.el6ost.noarch) is denying the request from the dashboard (httpd process) to communicate to the identity service on port 5000:

type=AVC msg=audit(1388999124.442:109): avc: denied { name_connect } for pid=1954 comm="httpd" dest=5000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1388999124.442:109): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7f129482d770 a2=10 a3=f items=0 ppid=1927 pid=1954 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

If selinux is disabled, login works successfully.

Version-Release number of selected component (if applicable):
6x

How reproducible:
Every time

Steps to Reproduce:
1. Install OpenStack following the official documentation: http://docs.openstack.org/trunk/install-guide/install/yum/content/ch_preface.html
2. At section 7, "Install the Dashboard" try to login

Actual results:
Login does not work, erroring with "unauthorised"


Expected results:
Login succeeds, entering the user into the dashboard

Additional info:

Comment 1 Lars Kellogg-Stedman 2014-02-10 19:03:04 UTC

Can you confirm if you still see this behavior with the latest Havana RDO packages?

Comment 2 Ryan Hallisey 2014-04-23 15:18:37 UTC

Can you attach the full /var/log/audit/audit.log file?  Also, test again in permissive (setenforce 0) so I can see all the denials because there may be more.

Comment 3 Miroslav Grepl 2014-05-02 10:30:04 UTC

We have

tunable_policy(`httpd_use_openstack',`
    corenet_tcp_connect_keystone_port(httpd_sys_script_t)
    corenet_tcp_connect_all_ephemeral_ports(httpd_t)
    corenet_tcp_connect_glance_port(httpd_sys_script_t)
    corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
')

tunable_policy(`httpd_use_openstack',`
    corenet_tcp_connect_osapi_compute_port(httpd_t)
')


so we need to add additional rules.

Comment 4 Miroslav Grepl 2014-05-02 10:34:42 UTC

Actually we have

tunable_policy(`httpd_use_openstack',`
    corenet_tcp_connect_commplex_port(httpd_sys_script_t)
    corenet_tcp_connect_glance_port(httpd_sys_script_t)
')

in RHEL6. 


Which scripts does it cause?

Comment 5 Red Hat Bugzilla 2023-09-14 01:56:34 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.