Created attachment 1023025 [details] Sealert and audit logs plus Glance logs Description of problem: Glance image-create fails when using nfs mount for datadir if selinux is enforcing state. Version-Release number of selected component (if applicable): RHEL 7.1 python-glanceclient-0.17.0-2.el7.noarch openstack-glance-2015.1.0-3.el7.noarch python-glance-store-0.4.0-1.el7.noarch python-glance-2015.1.0-3.el7.noarch libselinux-python-2.2.2-6.el7.x86_64 openstack-selinux-0.6.31-1.el7.noarch selinux-policy-3.13.1-23.el7.noarch libselinux-2.2.2-6.el7.x86_64 libselinux-utils-2.2.2-6.el7.x86_64 libselinux-ruby-2.2.2-6.el7.x86_64 selinux-policy-targeted-3.13.1-23.el7.noarch How reproducible: Every time Once I reverted back to permissive/disabled worked without a problem. Switching back to enforcing problem happened again. Steps to Reproduce: 1. Setup AIO, deployment 2. Stop Glance service 3. Mount nfs share to replace /var/lib/glance ,don't forget chown/chmod for Glance. I'd used mount command not fstab automount. 3. Start Glance service 4. Try to upload image - should fail with error below 5. Now switch to permissive mode (or disable) 6. Glance image should now work. 7. If you switch back to enforcing image-create fails again. Not sure it's needed or related, on changing modes, I tried with setenforce and once with editing selinux conf file, plus rebooting system, and manually running mount command. Actual results: Enforcing mode would cause error: Request returned failure status 410. Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/glanceclient/shell.py", line 644, in main args.func(client, args) File "/usr/lib/python2.7/site-packages/glanceclient/v1/shell.py", line 245, in do_image_create image = gc.images.create(**fields) File "/usr/lib/python2.7/site-packages/glanceclient/v1/images.py", line 319, in create data=image_data) File "/usr/lib/python2.7/site-packages/glanceclient/common/http.py", line 265, in post return self._request('POST', url, **kwargs) File "/usr/lib/python2.7/site-packages/glanceclient/common/http.py", line 230, in _request raise exc.from_response(resp, resp.text) HTTPException: 410 Gone: Error in store configuration. Adding images to store is disabled. (HTTP N/A) 410 Gone: Error in store configuration. Adding images to store is disabled. (HTTP N/A) Expected results: Should be able to upload image to an nfs based Glance storage even when enforcing state. Additional info: Adding sealert/audit logs plus Glance api.log
The AVC is: type=AVC msg=audit(1430905710.941:205752): avc: denied { search } for pid=5894 comm="glance-api" name="/" dev="0:37" ino=395 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir I believe it would be enough to add: allow glance_api_t nfs_t:dir search; I could swear I had seen this reported already. :/
I have seen this as well, with openstack-selinux-0.6.31-1.el7ost. The following test policy allowed me to create and delete images without issues, on an NFS backend: ----------------------- module glance_nfs_test 1.0; require { type glance_registry_t; type glance_api_t; type nfs_t; class file { create write open getattr unlink }; class dir { search getattr write add_name create remove_name }; } #============= glance_api_t ============== allow glance_api_t nfs_t:dir { search getattr write add_name create remove_name }; allow glance_api_t nfs_t:file { create write open getattr unlink }; #============= glance_registry_t ============== allow glance_registry_t nfs_t:dir search;
I haven't seen this yet thanks for reporting it! The rules you posted look good, but can you attach the AVCs so I can double check?
Created attachment 1030412 [details] grep -i avc audit.log from affected system
BTW, there is a mongod avc in the logs, but that might require its own bug.
Did you gather those logs from enforcing mode or permissive? It looks like there are three rules missing. Run in permissive to gather all the logs. Sorry I should've specified. allow glance_api_t nfs_t:dir { search getattr } allow glance_registry_t nfs_t:dir search;
I got it on enforcing mode, while creating the test policy. I have reproduced it again in permissive mode, here are the logs.
Created attachment 1031124 [details] grep -i avc audit.log from affected system, tested on permissive mode
Thanks Javier! I'll adding the following.. allow glance_api_t nfs_t:dir { write remove_name create add_name }; allow glance_api_t nfs_t:file { write getattr unlink open create };
This is still happening with RDO Liberty bits. Do we have any timelines for a fix?