Bug 1150678 - Permissions issue prevents CSS from rendering
Summary: Permissions issue prevents CSS from rendering
Alias: None
Product: RDO
Classification: Community
Component: openstack-puppet-modules
Version: unspecified
Hardware: Unspecified
OS: Linux
Target Milestone: ---
: Juno
Assignee: Gaël Chamoulaud
QA Contact: Shai Revivo
Depends On:
TreeView+ depends on / blocked
Reported: 2014-10-08 16:07 UTC by Matt Kassawara
Modified: 2016-05-19 14:17 UTC (History)
7 users (show)

Fixed In Version: python-django-horizon-2014.2-1.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-05-19 14:17:14 UTC

Attachments (Terms of Use)

Description Matt Kassawara 2014-10-08 16:07:20 UTC
Description of problem: Permissions issue prevents CSS from rendering.

Version-Release number of selected component (if applicable): 2014.2-0.4.b3.fc22

How reproducible: Consistent.

Steps to Reproduce:
1. Install the openstack-dashboard package and dependencies.
2. Configure the dashboard.
3. Attempt to load the dashboard using a web browser.

Actual results: Dashboard renders without CSS.

Expected results: Dashboard renders with CSS.

Additional info: After enabling debug in the dashboard configuration, the following error appears in the web browser:

Exception Type:	OSError
Exception Value: [Errno 13] Permission denied: '/usr/share/openstack-dashboard/static/scss'
Exception Location: /usr/lib64/python2.7/os.py in makedirs, line 157

Changing ownership of the /usr/share/openstack/static tree to apache:apache resolves the issue.

Comment 1 Matthias Runge 2014-10-09 06:36:07 UTC
SELinux is preventing /usr/sbin/httpd from open access on the file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that httpd should be allowed open access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                 [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          turing.berg.ol
Source RPM Packages           httpd-2.4.10-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-188.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     turing.berg.ol
Platform                      Linux turing.berg.ol 3.16.3-200.fc20.x86_64 #1 SMP
                              Wed Sep 17 22:34:21 UTC 2014 x86_64 x86_64
Alert Count                   17
First Seen                    2014-06-25 12:10:05 CEST
Last Seen                     2014-10-09 08:32:40 CEST
Local ID                      0739f667-e91a-4042-8a12-360f7f3506c4

Raw Audit Messages
type=AVC msg=audit(1412836360.505:4767): avc:  denied  { open } for  pid=6458 comm="httpd" path="/var/log/horizon/horizon.log" dev="dm-1" ino=4194308 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0

type=SYSCALL msg=audit(1412836360.505:4767): arch=x86_64 syscall=open success=no exit=EACCES a0=7f5dad2880b0 a1=441 a2=1b6 a3=0 items=0 ppid=6428 pid=6458 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,var_log_t,file,open

reporter: setenforce 0 should temporarily fix your issue, does it?

Comment 2 Ian Cordasco 2014-10-09 15:41:31 UTC
Matthias, 1150902 (and your first response) are talking about /var/log whereas Matt is discussing permissions for /usr/share/openstack-dashboard/static/scss. I'm pretty sure this is a basic permissions problem, not an selinux problem.

Comment 3 Matt Kassawara 2014-10-09 15:56:39 UTC
This particular issue involves general file permissions, not SELinux permissions. Nothing appears in audit.log about httpd attempting to access this directory structure.

Comment 4 Matthias Runge 2014-10-20 12:16:22 UTC
Could you please check, if this is fixed with python-django-horizon-2014.2-1.fc22 ?

What did you do to configure the dashboard?

In the RDO setup case and when installing via yum install openstack-dashboard, there is no need to write to /usr/share/openstack-dashboard/static/ for httpd.

Comment 5 Itzik Brown 2015-04-14 09:24:33 UTC
I have the same issue with openstack-dashboard-2015.1-0.1.b2.el7.centos.noarch after installing with packstack.

Changing ownership of the /usr/share/openstack-dashboard/static/dashboard tree to apache:apache resolves the issue.

Comment 6 Matthias Runge 2015-04-28 10:52:11 UTC
unfortunately, I wasn't able to reproduce this at all. 

The question would be: how does this happen? That directory should be read only, no need for the web server to write there at all.

Comment 7 Itzik Brown 2015-04-30 11:15:58 UTC
I checked with openstack-dashboard-2015.1-0rc2.el7.centos.noarch and didn't see this problem.

Comment 8 Itzik Brown 2015-05-05 08:57:15 UTC
I was able to reproduce.
After installation with packstack failed because of missing RPMs I reinstalled and the problem happens again.
After restarting httpd - the dashboard looks fine.

Comment 9 Matthias Runge 2015-05-06 12:06:30 UTC
*** Bug 1219006 has been marked as a duplicate of this bug. ***

Comment 10 Matthias Runge 2015-05-06 12:20:32 UTC
OK, to avoid confusion here:

this is about httpd is not restarted after installation via packstack (or another httpd restart required).

The error message given by horizon is clearly wrong, as the requested files don't even exist. Speaking of "permission denied" is not correct then.

Comment 11 Itzik Brown 2015-05-06 12:30:13 UTC
My comment was for the Kilo release.

There is a bug for Kilo:

Comment 14 Alfredo Moralejo 2016-05-19 14:17:14 UTC
This bug is against a version which has reached End of Life. Please reopen if it is still relevant with a latest version: http://releases.openstack.org/

Note You need to log in before you can comment on or make changes to this bug.