Description of problem: Glance image-create fails on a RHOS5 running on RHEL7 when glance is configured to use Ceph/rbd and Selinux is in enforcing. type=AVC msg=audit(1405130267.572:5587): avc: denied { execstack } for pid=8320 comm="glance-api" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:system_r:glance_api_t:s0 tclass=process type=AVC msg=audit(1405130267.572:5587): avc: denied { execmem } for pid=8320 comm="glance-api" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:system_r:glance_api_t:s0 tclass=process Version-Release number of selected component (if applicable): # rpm -qa | egrep "glance|selinux" | sort libselinux-2.0.94-2.el6.x86_64 libselinux-2.0.94-5.2.el6.x86_64 libselinux-python-2.0.94-2.el6.x86_64 libselinux-python-2.0.94-5.2.el6.x86_64 libselinux-utils-2.0.94-2.el6.x86_64 libselinux-utils-2.0.94-5.2.el6.x86_64 selinux-policy-3.7.19-126.el6_2.4.noarch selinux-policy-3.7.19-54.el6.noarch selinux-policy-targeted-3.7.19-126.el6_2.4.noarch selinux-policy-targeted-3.7.19-54.el6.noarch /etc/glance/glance-api.conf updates default_store=rbd show_image_direct_url=True rbd_store_ceph_conf=/etc/ceph/ceph.conf rbd_store_user=images rbd_store_pool=images rbd_store_chunk_size=8 How reproducible: 100% while in enforcing and using rbd Steps to Reproduce: 1. Configure Ceph to allow connections from OSP 2. Configure OSP to create a connection to Ceph 3. Create image with glance Actual results: Expected results: Additional info:
Correction. Wrong list of packages were provided. Here is the corrected list # rpm -qa | egrep "glance|selinux" | sort libselinux-2.2.2-6.el7.x86_64 libselinux-python-2.2.2-6.el7.x86_64 libselinux-ruby-2.2.2-6.el7.x86_64 libselinux-utils-2.2.2-6.el7.x86_64 openstack-glance-2014.1-4.el7ost.noarch openstack-selinux-0.5.9-1.el7ost.noarch python-glance-2014.1-4.el7ost.noarch python-glanceclient-0.12.0-1.el7ost.noarch selinux-policy-3.12.1-153.el7_0.10.noarch selinux-policy-targeted-3.12.1-153.el7_0.10.noarch
Can you rerun your steps in permissive and attach your audit.log please?
The audit logs while running in permissive mode are included in the description.
We probably want to add glance_use_execmem boolean.
verified on: openstack-selinux-0.5.14-3.el7ost.noarch
Rechecked this issue after updating the OSP - and the bug still happens: #sealert -a /var/log/audit.log output: found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/bin/python2.7 from read access on the file . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed read access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep glance-api /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:glance_api_t:s0 Target Context unconfined_u:object_r:admin_home_t:s0 Target Objects [ file ] Source glance-api Source Path /usr/bin/python2.7 Port <Unknown> Host <Unknown> Source RPM Packages python-2.7.5-16.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-153.el7_0.10.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name cougar01.scl.lab.tlv.redhat.com Platform Linux cougar01.scl.lab.tlv.redhat.com 3.10.0-123.4.2.el7.x86_64 #1 SMP Thu Jun 5 21:43:43 EDT 2014 x86_64 x86_64 Alert Count 6 First Seen 2014-07-23 11:45:25 IDT Last Seen 2014-07-23 11:51:06 IDT Local ID 766fdad8-30e6-428e-8b13-f92a1df47417 Raw Audit Messages type=AVC msg=audit(1406105466.953:21025): avc: denied { read } for pid=18077 comm="glance-api" name="ceph.conf" dev="sda5" ino=18743509 scontext=system_u:system_r:glance_api_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file type=SYSCALL msg=audit(1406105466.953:21025): arch=x86_64 syscall=open success=no exit=EACCES a0=2c712e8 a1=0 a2=1b6 a3=0 items=0 ppid=18062 pid=18077 auid=4294967295 uid=161 gid=161 euid=161 suid=161 fsuid=161 egid=161 sgid=161 fsgid=161 tty=(none) ses=4294967295 comm=glance-api exe=/usr/bin/python2.7 subj=system_u:system_r:glance_api_t:s0 key=(null) Hash: glance-api,glance_api_t,admin_home_t,file,read
I think the labeling is wrong glance_api_t should not be trying to read root's home directory. You need to run # restorecon -R -v <path for glance_api_t> The path for glance_api_t will be in the audit.log.
Sorry wrong path, # restorecon -R -v <path for ceph.conf>
The bad context on the ceph.conf file may be a local configuration issue created while testing. I have checked the ceph.conf on my other systems and they are etc_t. My OSP environment is being rebuilt. I will recheck it there once I get it back.
tested on OpenStack-5.0-RHEL-7 Puddle: 2014-07-23.1 working ok
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-0937.html