Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1111990

Summary: SELinux blocks Cinder from mounting GlusterFS volumes
Product: Red Hat OpenStack Reporter: Yogev Rabl <yrabl>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED ERRATA QA Contact: Yogev Rabl <yrabl>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 5.0 (RHEL 7)CC: acathrow, eharney, gfidente, lhh, mgrepl, nlevinki, sclewis, scohen, yeylon, yrabl
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: 5.0 (RHEL 7)   
Hardware: All   
OS: Linux   
Whiteboard: storage
Fixed In Version: openstack-selinux-0.5.7-2.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-08 15:15:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log none

Description Yogev Rabl 2014-06-22 14:19:30 UTC 
Description of problem:
After installing RHOS with Packstack the Cinder fails to mount the GlusterFS volume to /var/lib/cinder/mnt directory.
When I've restarted the Cinder service with SELinux on permissive mode, without any changes in the configuration the Cinder was able to mount and create volumes successfully. 
 

Version-Release number of selected component (if applicable):
openstack-selinux-0.5.2-2.el7ost.noarch
python-cinderclient-1.0.9-1.el7ost.noarch
openstack-cinder-2014.1-6.el7ost.noarch
python-cinder-2014.1-6.el7ost.noarch
openstack-packstack-2014.1.1-0.26.dev1157.el7ost.noarch
openstack-packstack-puppet-2014.1.1-0.26.dev1157.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install RHOS with Packstack with GlusterFS as the Cinder's backend.
2. Create a volume with Cinder.


Actual results:
The volume creation will fail - the mount of the GlusterFS volume will fail.

Expected results:
The volume should be available and the GlusterFS volume should be mounted to the /var/lib/cinder/mnt directory.
Comment 3 Eric Harney 2014-06-23 12:48:44 UTC 
Please provide the AVC messages from the system audit log.
Comment 4 Lon Hohberger 2014-06-23 13:54:58 UTC 
Actually, it's better to always attach /var/log/audit/audit.log :)
Comment 5 Lon Hohberger 2014-06-23 13:58:49 UTC 
Yogev, can you pull audit.log from your run in permissive mode?  That should capture all of the AVCs.
Comment 7 Ryan Hallisey 2014-06-24 14:44:01 UTC 
Created attachment 911777 [details]
audit.log
Comment 8 Miroslav Grepl 2014-06-24 14:56:58 UTC 
I see

#============= glance_api_t ==============

#!!!! This avc can be allowed using the boolean 'glance_use_fusefs'
allow glance_api_t fusefs_t:dir { write search getattr };


for fuse_t issues.

allow neutron_t http_port_t:tcp_socket name_connect;

needs to be added.
Comment 10 nlevinki 2014-07-02 13:23:52 UTC 
verifed on puddle http://download.lab.bos.redhat.com/rel-eng/OpenStack/5.0-RHEL-7/2014-07-01.2
using openstack-selinux-0.5.9-1.el7ost.noarch rpm
1) Configure gluster as backend to cinder
2) Create 2 volumes, one empty and one from image.
3) create a vm and boot it from the image in the volume
Comment 12 errata-xmlrpc 2014-07-08 15:15:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-0845.html