1249788 – OpenStack is prevented from connecting to Nova by SELinux (port 8774)

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1249788 - OpenStack is prevented from connecting to Nova by SELinux (port 8774)

Summary: OpenStack is prevented from connecting to Nova by SELinux (port 8774)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	SELinux
Sub Component:
Version:	6.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Lukas Zapletal
QA Contact:	Kedar Bidarkar
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-08-03 20:21 UTC by Jan Hutař
Modified:	2019-06-13 21:25 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-10-15 18:20:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:1911	0	normal	SHIPPED_LIVE	Satellite 6.1.3 bug fix update	2015-10-15 22:19:19 UTC

Description Jan Hutař 2015-08-03 20:21:48 UTC

Description of problem:
Provisioning host in OpenStack produces SELinux AVC.


Version-Release number of selected component (if applicable):
Satellite-6.1.0-RHEL-6-20150731.1-Satellite-x86_64


How reproducible:
always (about 2 of 2 attempts)


Steps to Reproduce:
1. Setup Sat6 with OpenStack compute resource
2. Provision host
   # hammer --username 'admin' --password 'changeme' host create --name 'OpenStack2' --hostgroup-id '1' --compute-resource-id '2' --puppet-ca-proxy '<fqdn>' --puppet-proxy '<fqdn>' --puppet-classes qaredhattest --location-id '2' --organization-id '1' --provision-method 'image' --owner 'admin' --compute-attributes 'nics=[],flavor_ref=1,security_group=<group>,network=public,image_ref=<ref>'


Actual results:
==> /var/log/foreman-proxy/proxy.log <==
10.16.42.32 - - [03/Aug/2015 16:12:52] "POST /puppet/ca/autosign/openstack2.katellolabs.org HTTP/1.1" 200 - 0.0230

==> /var/log/foreman/production.log <==
2015-08-03 16:12:52 [I] Revoked old certificates and enabled autosign for UserData
2015-08-03 16:12:52 [I] Adding Compute instance for openstack2.katellolabs.org
2015-08-03 16:12:52 [I] Successfully decrypted field for Foreman::Model::Openstack openstack

==> /var/log/audit/audit.log <==
type=AVC msg=audit(1438632772.612:921): avc:  denied  { name_connect } for  pid=27564 comm="ruby" dest=8774 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1438632772.612:921): arch=c000003e syscall=42 success=no exit=-115 a0=14 a1=89d05b0 a2=10 a3=5898 items=0 ppid=1 pid=27564 auid=4294967295 uid=497 gid=496 euid=497 suid=497 fsuid=497 egid=496 sgid=496 fsgid=496 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)

==> /var/log/foreman/production.log <==
2015-08-03 16:13:43 [I] Waiting for openstack2.katellolabs.org to become ready
2015-08-03 16:13:43 [I] waiting for instance to acquire ip address
2015-08-03 16:13:43 [I] Add DNS A record for openstack2.katellolabs.org/10.8.50.155

==> /var/log/foreman-proxy/proxy.log <==
10.16.42.32 - - [03/Aug/2015 16:13:44] "POST /dns/ HTTP/1.1" 200 - 0.9452


Expected results:
There should not be any AVC


Additional info:
To me it looks like it is not breaking anything, but having AVCs logged is not nice.

Comment 4 Jan Hutař 2015-08-05 07:03:30 UTC

Looks like there is same issue when creating OpenStack compute-resource:

# hammer --username admin --password changeme compute-resource create --name 'openstack' --provider Openstack --url 'http://<openstack>:5000/v2.0/tokens' --user '<user>' --password '<pass>' --tenant '<tenant>' --organization-ids 1 --location-ids 2

type=SYSCALL msg=audit(1438741007.135:462): arch=c000003e syscall=42 success=no exit=-115 a0=f a1=aed95f0 a2=10 a3=5898 items=0 ppid=1 pid=3112 auid=4294967295 uid=497 gid=496 euid=497 suid=497 fsuid=497 egid=496 sgid=496 fsgid=496 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1438741007.135:462): avc:  denied  { name_connect } for  pid=3112 comm="ruby" dest=8774 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

Comment 5 Jan Hutař 2015-08-05 20:22:52 UTC

This is fatal on RHEL7 - creating OpenStack compute resource fails with SELinux in Enforcing.

Comment 10 Lukas Zapletal 2015-08-06 14:35:02 UTC

This should have been solved with https://bugzilla.redhat.com/show_bug.cgi?id=1249788

Comment 11 Lukas Zapletal 2015-08-07 07:30:20 UTC

Sorry I meant https://bugzilla.redhat.com/show_bug.cgi?id=1136991

Comment 17 Kedar Bidarkar 2015-10-07 17:01:14 UTC

Verified we are now able to add openstack compute resource without disabling selinux.


2015-10-07 12:43:50 [I] Processing by ComputeResourcesController#provider_selected as HTML
2015-10-07 12:43:50 [I]   Parameters: {"provider"=>"Openstack"}
2015-10-07 12:43:51 [I]   Rendered compute_resources/form/_openstack.html.erb (222.2ms)
2015-10-07 12:43:51 [I]   Rendered taxonomies/_loc_org_tabs.html.erb (18.5ms)
2015-10-07 12:43:51 [I]   Rendered compute_resources/_form.html.erb (256.9ms)
2015-10-07 12:43:51 [I] Completed 200 OK in 324ms (Views: 257.6ms | ActiveRecord: 7.1ms)


1 ~]# getenforce
Enforcing

VERIFIED with Satellite-6.1.0-RHEL-7-20151006.1 on RHEL7

VERIFIED with Satellite-6.1.0-RHEL-6-20151006.0 on RHEL6 too.

Comment 19 errata-xmlrpc 2015-10-15 18:20:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2015:1911

Note You need to log in before you can comment on or make changes to this bug.