rhel-osp-director: 8.0 - the undercloud deployment fails due to selinux. Environment: instack-undercloud-2.1.3-1.el7ost.noarch openstack-selinux-0.6.42-1.el7ost.noarch Steps to reproduce: Attempt to deploy the undercloud. Bear in mind https://bugzilla.redhat.com/show_bug.cgi?id=1280083. Make sure to enable selinux (setenforce 1) after successfully passing the issue reported in https://bugzilla.redhat.com/show_bug.cgi?id=1280083. Re-run "openstack undercloud install" Result: [2015-11-10 17:45:22,720] (os-refresh-config) [INFO] Completed phase post-configure os-refresh-config completed successfully Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 563, in install _configure_ssh_keys() File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 541, in _configure_ssh_keys nova.keypairs.create('default', pubkey.read().rstrip()) File "/usr/lib/python2.7/site-packages/novaclient/api_versions.py", line 349, in substitution return method.func(obj, *args, **kwargs) File "/usr/lib/python2.7/site-packages/novaclient/v2/keypairs.py", line 80, in create return self._create('/%s' % self.keypair_prefix, body, 'keypair') File "/usr/lib/python2.7/site-packages/novaclient/base.py", line 169, in _create _resp, body = self.api.client.post(url, body=body) File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 449, in post return self._cs_request(url, 'POST', **kwargs) File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 424, in _cs_request resp, body = self._time_request(url, method, **kwargs) File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 397, in _time_request resp, body = self.request(url, method, **kwargs) File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 366, in request **kwargs) File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request response = session.request(method=method, url=url, **kwargs) File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send r = adapter.send(request, **kwargs) File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 415, in send raise ConnectionError(err, request=request) requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine("''",)) Command 'instack-install-undercloud' returned non-zero exit status 1 Here are the avc errors: [stack@instack ~]$ sudo grep -i avc /var/log/audit/audit.log type=USER_AVC msg=audit(1447193023.694:251): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1447193023.694:252): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1447193372.173:336): avc: denied { read } for pid=25420 comm="dnsmasq" name="tftpboot" dev="sda1" ino=1572866 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1447193408.754:426): avc: denied { search } for pid=26870 comm="neutron-server" name="httpd" dev="sda1" ino=793777 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir type=AVC msg=audit(1447193408.754:427): avc: denied { search } for pid=26870 comm="neutron-server" name="httpd" dev="sda1" ino=793777 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir type=USER_AVC msg=audit(1447194387.136:673): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=4) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1447194387.136:674): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=5) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1447194408.663:679): avc: denied { read } for pid=5498 comm="dnsmasq" name="tftpboot" dev="sda1" ino=1572866 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1447194462.903:725): avc: denied { read } for pid=6542 comm="dnsmasq" name="tftpboot" dev="sda1" ino=1572866 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir type=USER_AVC msg=audit(1447194502.743:748): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1447194502.750:749): avc: denied { read } for pid=6771 comm="dnsmasq" name="tftpboot" dev="sda1" ino=1572866 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir type=USER_AVC msg=audit(1447194616.439:884): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=1) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1447194676.501:915): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=6) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1447194676.501:916): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=7) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1447194753.696:970): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=8) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1447194753.696:971): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=9) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1447194838.365:1200): avc: denied { execmem } for pid=27453 comm="nova-api" scontext=system_u:system_r:nova_t:s0 tcontext=system_u:system_r:nova_t:s0 tclass=process type=USER_AVC msg=audit(1447195404.392:1376): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=10) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1447195404.392:1377): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=11) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1447195512.476:1714): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=12) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1447195512.476:1715): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=13) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1447195512.476:1716): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=14) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1447195524.746:1877): avc: denied { execmem } for pid=12896 comm="nova-api" scontext=system_u:system_r:nova_t:s0 tcontext=system_u:system_r:nova_t:s0 tclass=process Note: running "openstack undercloud install" in selinux permissive mode - results in successful installation.
Created attachment 1092498 [details] /var/log/messages
Created attachment 1092499 [details] /var/log/audit/audit.log
I still the defualt_t issue again. This is caused because a dir is being created in the '/' directory that does not have the correct label. 'default_t' is assigned to a directory in '/' that hasn't had it's label restored or assigned. The fix for this is after you create '/<my_dir' run $ restorecon -Rv /<my_dir> . type=AVC msg=audit(1447195524.746:1877): avc: denied { execmem } for pid=12896 comm="nova-api" scontext=system_u:system_r:nova_t:s0 tcontext=system_u:system_r:nova_t:s0 tclass=process This AVC is problematic. The type nova_t only exists on rhel7.
Added in some optional policy for nova_t. Hopefully this should solve the issue or at least reveal what else could be causing the issue.
Verified: Environment: openstack-selinux-0.6.48-1.el7ost.noarch With the new subject in mind , verified that there are no avc messages on controllers in /var/log/audit/audit.log.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0603.html