Bug 1249788 - OpenStack is prevented from connecting to Nova by SELinux (port 8774)
Summary: OpenStack is prevented from connecting to Nova by SELinux (port 8774)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
high vote
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Kedar Bidarkar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-03 20:21 UTC by Jan Hutař
Modified: 2019-06-13 21:25 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-15 18:20:29 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1911 0 normal SHIPPED_LIVE Satellite 6.1.3 bug fix update 2015-10-15 22:19:19 UTC

Description Jan Hutař 2015-08-03 20:21:48 UTC
Description of problem:
Provisioning host in OpenStack produces SELinux AVC.


Version-Release number of selected component (if applicable):
Satellite-6.1.0-RHEL-6-20150731.1-Satellite-x86_64


How reproducible:
always (about 2 of 2 attempts)


Steps to Reproduce:
1. Setup Sat6 with OpenStack compute resource
2. Provision host
   # hammer --username 'admin' --password 'changeme' host create --name 'OpenStack2' --hostgroup-id '1' --compute-resource-id '2' --puppet-ca-proxy '<fqdn>' --puppet-proxy '<fqdn>' --puppet-classes qaredhattest --location-id '2' --organization-id '1' --provision-method 'image' --owner 'admin' --compute-attributes 'nics=[],flavor_ref=1,security_group=<group>,network=public,image_ref=<ref>'


Actual results:
==> /var/log/foreman-proxy/proxy.log <==
10.16.42.32 - - [03/Aug/2015 16:12:52] "POST /puppet/ca/autosign/openstack2.katellolabs.org HTTP/1.1" 200 - 0.0230

==> /var/log/foreman/production.log <==
2015-08-03 16:12:52 [I] Revoked old certificates and enabled autosign for UserData
2015-08-03 16:12:52 [I] Adding Compute instance for openstack2.katellolabs.org
2015-08-03 16:12:52 [I] Successfully decrypted field for Foreman::Model::Openstack openstack

==> /var/log/audit/audit.log <==
type=AVC msg=audit(1438632772.612:921): avc:  denied  { name_connect } for  pid=27564 comm="ruby" dest=8774 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1438632772.612:921): arch=c000003e syscall=42 success=no exit=-115 a0=14 a1=89d05b0 a2=10 a3=5898 items=0 ppid=1 pid=27564 auid=4294967295 uid=497 gid=496 euid=497 suid=497 fsuid=497 egid=496 sgid=496 fsgid=496 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)

==> /var/log/foreman/production.log <==
2015-08-03 16:13:43 [I] Waiting for openstack2.katellolabs.org to become ready
2015-08-03 16:13:43 [I] waiting for instance to acquire ip address
2015-08-03 16:13:43 [I] Add DNS A record for openstack2.katellolabs.org/10.8.50.155

==> /var/log/foreman-proxy/proxy.log <==
10.16.42.32 - - [03/Aug/2015 16:13:44] "POST /dns/ HTTP/1.1" 200 - 0.9452


Expected results:
There should not be any AVC


Additional info:
To me it looks like it is not breaking anything, but having AVCs logged is not nice.

Comment 4 Jan Hutař 2015-08-05 07:03:30 UTC
Looks like there is same issue when creating OpenStack compute-resource:

# hammer --username admin --password changeme compute-resource create --name 'openstack' --provider Openstack --url 'http://<openstack>:5000/v2.0/tokens' --user '<user>' --password '<pass>' --tenant '<tenant>' --organization-ids 1 --location-ids 2

type=SYSCALL msg=audit(1438741007.135:462): arch=c000003e syscall=42 success=no exit=-115 a0=f a1=aed95f0 a2=10 a3=5898 items=0 ppid=1 pid=3112 auid=4294967295 uid=497 gid=496 euid=497 suid=497 fsuid=497 egid=496 sgid=496 fsgid=496 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1438741007.135:462): avc:  denied  { name_connect } for  pid=3112 comm="ruby" dest=8774 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

Comment 5 Jan Hutař 2015-08-05 20:22:52 UTC
This is fatal on RHEL7 - creating OpenStack compute resource fails with SELinux in Enforcing.

Comment 10 Lukas Zapletal 2015-08-06 14:35:02 UTC
This should have been solved with https://bugzilla.redhat.com/show_bug.cgi?id=1249788

Comment 11 Lukas Zapletal 2015-08-07 07:30:20 UTC
Sorry I meant https://bugzilla.redhat.com/show_bug.cgi?id=1136991

Comment 17 Kedar Bidarkar 2015-10-07 17:01:14 UTC
Verified we are now able to add openstack compute resource without disabling selinux.


2015-10-07 12:43:50 [I] Processing by ComputeResourcesController#provider_selected as HTML
2015-10-07 12:43:50 [I]   Parameters: {"provider"=>"Openstack"}
2015-10-07 12:43:51 [I]   Rendered compute_resources/form/_openstack.html.erb (222.2ms)
2015-10-07 12:43:51 [I]   Rendered taxonomies/_loc_org_tabs.html.erb (18.5ms)
2015-10-07 12:43:51 [I]   Rendered compute_resources/_form.html.erb (256.9ms)
2015-10-07 12:43:51 [I] Completed 200 OK in 324ms (Views: 257.6ms | ActiveRecord: 7.1ms)


1 ~]# getenforce
Enforcing

VERIFIED with Satellite-6.1.0-RHEL-7-20151006.1 on RHEL7

VERIFIED with Satellite-6.1.0-RHEL-6-20151006.0 on RHEL6 too.

Comment 19 errata-xmlrpc 2015-10-15 18:20:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2015:1911


Note You need to log in before you can comment on or make changes to this bug.