1083566 – Selinux blocks Nova services on RHEL7, can't boot or delete instances,

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1083566 - Selinux blocks Nova services on RHEL7, can't boot or delete instances,

Summary: Selinux blocks Nova services on RHEL7, can't boot or delete instances,

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-selinux
Sub Component:
Version:	unspecified
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	---
Assignee:	Ryan Hallisey
QA Contact:	Ofer Blaut
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1107861
TreeView+	depends on / blocked

Reported:	2014-04-02 13:17 UTC by Yogev Rabl
Modified:	2016-03-30 23:07 UTC (History)
CC List:	5 users (show)
Fixed In Version:	openstack-selinux-0.5.5-1.el7ost
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1107861 (view as bug list)
Environment:
Last Closed:	2016-03-30 23:07:38 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
the audit log during launch of instances. (26.35 KB, text/x-log) 2014-04-22 08:01 UTC, Yogev Rabl	no flags	Details
the audit.log when running openstack-service restart (47.52 KB, text/x-log) 2014-04-22 08:33 UTC, Yogev Rabl	no flags	Details
audit.log (2.14 MB, text/plain) 2014-04-23 20:03 UTC, Ryan Hallisey	no flags	Details
View All

Description Yogev Rabl 2014-04-02 13:17:49 UTC

Description of problem:
Instance launching fails on an AIO installation on RHEL 7. 
I've installed the Openstack without Neutron, it is working with Nova-network. 
When setting the SELinux to permissive it works well.


The nova compute log show: 
2014-04-02 16:12:46.405 10851 DEBUG nova.compute.utils [req-50d44af2-aeec-4f89-a557-fa94fc481eb8 4439a5fdc6c04d68aaf1115daa515234 3ab981eb8f4b465fb23ab505cc7bcf8b] [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5] Timed out waiting for a 
reply to message ID 68db9e9cd6f449059d11d9da2c139fe9 notify_about_instance_usage /usr/lib/python2.7/site-packages/nova/compute/utils.py:335
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5] Traceback (most recent call last):
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 1066, in _build_instance
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     set_access_ip=set_access_ip)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 360, in decorated_function
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     return function(self, context, *args, **kwargs)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 1476, in _spawn
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     LOG.exception(_('Instance failed to spawn'), instance=instance)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/nova/openstack/common/excutils.py", line 68, in __exit__
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     six.reraise(self.type_, self.value, self.tb)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 1473, in _spawn
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     block_device_info)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/nova/virt/libvirt/driver.py", line 2230, in spawn
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     admin_pass=admin_password)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/nova/virt/libvirt/driver.py", line 2634, in _create_image
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     net = netutils.get_injected_network_template(network_info)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/nova/virt/netutils.py", line 71, in get_injected_network_template
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     if not (network_info and template):
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/nova/network/model.py", line 379, in __len__
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     return self._sync_wrapper(fn, *args, **kwargs)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/nova/network/model.py", line 366, in _sync_wrapper
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     self.wait()
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/nova/network/model.py", line 398, in wait
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     self[:] = self._gt.wait()
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/eventlet/greenthread.py", line 168, in wait
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     return self._exit_event.wait()
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/eventlet/event.py", line 116, in wait
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     return hubs.get_hub().switch()
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/eventlet/hubs/hub.py", line 187, in switch
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     return self.greenlet.switch()
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/eventlet/greenthread.py", line 194, in main
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     result = function(*args, **kwargs)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 1254, in _allocate_network_async
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     dhcp_options=dhcp_options)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/nova/network/api.py", line 94, in wrapped
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     return func(self, context, *args, **kwargs)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/nova/network/api.py", line 48, in wrapper
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     res = f(self, context, *args, **kwargs)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/nova/network/api.py", line 302, in allocate_for_instance
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     nw_info = self.network_rpcapi.allocate_for_instance(context, **args)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/nova/network/rpcapi.py", line 170, in allocate_for_instance
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     macs=jsonutils.to_primitive(macs))
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/oslo/messaging/rpc/client.py", line 150, in call
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     wait_for_reply=True, timeout=timeout)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/oslo/messaging/transport.py", line 90, in _send
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     timeout=timeout)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/oslo/messaging/_drivers/amqpdriver.py", line 409, in send
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     return self._send(target, ctxt, message, wait_for_reply, timeout)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/oslo/messaging/_drivers/amqpdriver.py", line 400, in _send
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     result = self._waiter.wait(msg_id, timeout)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/oslo/messaging/_drivers/amqpdriver.py", line 280, in wait
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     reply, ending, trylock = self._poll_queue(msg_id, timeout)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/oslo/messaging/_drivers/amqpdriver.py", line 220, in _poll_queue
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     message = self.waiters.get(msg_id, timeout)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]   File "/usr/lib/python2.7/site-packages/oslo/messaging/_drivers/amqpdriver.py", line 126, in get
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]     'to message ID %s' % msg_id)
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5] MessagingTimeout: Timed out waiting for a reply to message ID 68db9e9cd6f449059d11d9da2c139fe9
2014-04-02 16:12:46.405 10851 TRACE nova.compute.utils [instance: 67082855-3395-4cc0-949b-3e2a693b6cf5]


The nova network log show:

2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup Traceback (most recent call last):
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/nova/openstack/common/threadgroup.py", line 117, in wait
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     x.wait()
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/nova/openstack/common/threadgroup.py", line 49, in wait
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     return self.thread.wait()
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/eventlet/greenthread.py", line 168, in wait
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     return self._exit_event.wait()
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/eventlet/event.py", line 116, in wait
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     return hubs.get_hub().switch()
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/eventlet/hubs/hub.py", line 187, in switch
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     return self.greenlet.switch()
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/eventlet/greenthread.py", line 194, in main
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     result = function(*args, **kwargs)
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/nova/openstack/common/service.py", line 480, in run_service
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     service.start()
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/nova/service.py", line 180, in start
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     self.manager.init_host()
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/nova/network/manager.py", line 1649, in init_host
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     self.l3driver.initialize(fixed_range=False, networks=networks)
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/nova/network/l3.py", line 88, in initialize
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     self.initialize_network(network['cidr'])
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/nova/network/l3.py", line 99, in initialize_network
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     linux_net.init_host(cidr)
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 679, in init_host
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     add_snat_rule(ip_range)
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 671, in add_snat_rule
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     iptables_manager.apply()
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 428, in apply
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     self._apply()
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/nova/openstack/common/lockutils.py", line 249, in inner
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     return f(*args, **kwargs)
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 448, in _apply
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     attempts=5)
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 1206, in _execute
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     return utils.execute(*cmd, **kwargs)
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/nova/utils.py", line 164, in execute
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     return processutils.execute(*cmd, **kwargs)
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup   File "/usr/lib/python2.7/site-packages/nova/openstack/common/processutils.py", line 193, in execute
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup     cmd=' '.join(cmd))
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup ProcessExecutionError: Unexpected error while running command.
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup Command: sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup Exit code: 1
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup Stdout: ''
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup Stderr: 'sudo: unknown uid 162: who are you?\n'
2014-04-02 15:47:24.341 10905 TRACE nova.openstack.common.threadgroup 


Version-Release number of selected component (if applicable):
openstack-puppet-modules-2014.1-5.3.el7.noarch
openstack-nova-conductor-2014.1-0.13.b3.el7.noarch
openstack-swift-object-1.12.0-1.el7.noarch
openstack-nova-common-2014.1-0.13.b3.el7.noarch
openstack-packstack-2014.1.1-0.7.dev1018.el7.noarch
openstack-nova-cert-2014.1-0.13.b3.el7.noarch
python-django-openstack-auth-1.1.4-1.el7.noarch
openstack-swift-1.12.0-1.el7.noarch
openstack-glance-2014.1-0.4.b3.el7.noarch
openstack-packstack-puppet-2014.1.1-0.7.dev1018.el7.noarch
openstack-nova-compute-2014.1-0.13.b3.el7.noarch
openstack-nova-novncproxy-2014.1-0.13.b3.el7.noarch
openstack-utils-2013.2-3.p1.el7.noarch
openstack-dashboard-2014.1-0.5.b3.el7.noarch
openstack-swift-account-1.12.0-1.el7.noarch
openstack-swift-proxy-1.12.0-1.el7.noarch
openstack-nova-network-2014.1-0.13.b3.el7.noarch
openstack-keystone-2014.1-0.4.b3.el7.noarch
openstack-nova-api-2014.1-0.13.b3.el7.noarch
openstack-swift-container-1.12.0-1.el7.noarch
openstack-nova-scheduler-2014.1-0.13.b3.el7.noarch
openstack-nova-console-2014.1-0.13.b3.el7.noarch
openstack-swift-plugin-swift3-1.7-3.el7.noarch
openstack-cinder-2014.1-0.6.b3.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install openstack AIO with packstack on RHEL 7.
2. Upload the CirrOS to the Glance.
3. Launch an instance with that image.

Actual results:
The launch fail and the instance's status is error.

Expected results:
The launch should succeed and the instance should be active.

Additional info:

Comment 1 Ryan Hallisey 2014-04-21 19:06:08 UTC

Can you attach /var/log/audit/audit.log please?

Comment 2 Yogev Rabl 2014-04-22 08:01:47 UTC

Created attachment 888379 [details]
the audit log during launch of instances.

Comment 3 Yogev Rabl 2014-04-22 08:33:51 UTC

Created attachment 888383 [details]
the audit.log when running openstack-service restart

Comment 4 Tzach Shefi 2014-04-22 10:52:47 UTC

Ran into another aspect of selinux blocks Nova's service problem. 
RDO on RHEL7, default selinux 1. 

On instance boot status-> error power->no state, other than not being able to boot instances, they can't be terminated either. 

Nova delete <>    ,doesn't delete instance, stuck in "deleting"
Nova reset-state --active <>  and Nova delete <>    ,also stuck in deleting state

When setenforce 0, above steps successfully terminate/delete stuck instances.

Comment 5 Ryan Hallisey 2014-04-23 19:57:12 UTC

The audit log during launch doesn't have any avc's, but the audit log for running openstack-service restart does.  This is a little bizarre considering that you can boot in permissive and not in enforcing.  I have the policy changes to fix openstack-service restart, but first try booting an instance again and grab the audit log to see if it's different.  I would except you would see some avcs for it to fail in enforcing.  

I reproduced booting an instance with RDO on rhel7 and got some a few avcs which I will attach in the audit log.

$ rpm -qa selinux-policy
selinux-policy-3.12.1-153.el7.noarch

Comment 6 Ryan Hallisey 2014-04-23 20:03:08 UTC

Created attachment 889074 [details]
audit.log

Search for 'nova' and you will see some avcs

Comment 7 Yogev Rabl 2014-05-01 09:14:00 UTC

When restarting the openstack services I can avcs: 

# grep nova audit.log | grep avc

output:

type=AVC msg=audit(1398935297.980:93): avc:  denied  { signal } for  pid=1133 comm="nova-api" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:system_r:nova_api_t:s0 tclass=process
type=AVC msg=audit(1398935298.855:112): avc:  denied  { read } for  pid=4697 comm="sh" name="passwd" dev="sda5" ino=24118430 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1398935298.861:113): avc:  denied  { read } for  pid=4699 comm="sh" name="passwd" dev="sda5" ino=24118430 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1398935299.511:116): avc:  denied  { read } for  pid=4737 comm="sh" name="passwd" dev="sda5" ino=24118430 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1398935299.572:117): avc:  denied  { read } for  pid=4740 comm="sh" name="passwd" dev="sda5" ino=24118430 scontext=system_u:system_r:nova_scheduler_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1398935299.583:118): avc:  denied  { read } for  pid=4747 comm="sh" name="passwd" dev="sda5" ino=24118430 scontext=system_u:system_r:nova_scheduler_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1398935300.030:123): avc:  denied  { read } for  pid=4779 comm="sh" name="passwd" dev="sda5" ino=24118430 scontext=system_u:system_r:nova_scheduler_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1398935301.511:149): avc:  denied  { read } for  pid=4936 comm="sudo" name="passwd" dev="sda5" ino=24118430 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1398935301.511:150): avc:  denied  { read } for  pid=4936 comm="sudo" name="utmp" dev="tmpfs" ino=13785 scontext=system_u:system_r:nova_network_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

Comment 8 Ryan Hallisey 2014-06-04 21:27:10 UTC

Using the updated policy, selinux-policy-3.12.1-153.el7_0.10,
only yeilds one avc.

#============= nova_network_t ==============
allow nova_network_t initrc_var_run_t:file read;

This can be shipped in selinux policy for RHEL 6.6 & 7.

Comment 9 Miroslav Grepl 2014-06-05 14:21:44 UTC

I think it's too late for our rhel-7.0.z errata which we have for non OpenStack issue add these.

Milos,
how does it look? Do you agree with me?

Comment 10 Milos Malik 2014-06-05 15:31:44 UTC

The 0day selinux-policy errata for RHEL-7.0 must go to REL_PREP tomorrow (June 6). If you do a new build of selinux-policy during today night I can test the differences in the morning and the errata gets pushed as planned.

Comment 11 Miroslav Grepl 2014-06-06 09:23:11 UTC

Yes, so too late.

We will need to have a new bug for these OpenStack issues.

Note You need to log in before you can comment on or make changes to this bug.