Created attachment 1123090 [details] Setroubleshooter.log Description of problem: Nova - Glance communication denied by selinux Package information: * openstack-selinux-0.6.41-1.el7.noarch * openstack-glance-11.0.1-2.el7.noarch * openstack-nova-compute-12.0.1-1.el7.noarch The installation was made from the RDO on the Liberty version. All in one. Version-Release number of selected component (if applicable): 8 How reproducible: 100% Steps to Reproduce: 1. Install glance and nova service. 2. Upload test image to glance. 3. Run 'nova image-list' command. Actual results: 'nova image-list' command return an "Unexpected API Error". ERROR (ClientException): Unexpected API Error. Please report this at http://bugs.launchpad.net/nova/ and attach the Nova API log if possible. <class 'glanceclient.exc.HTTPInternalServerError'> (HTTP 500) (Request-ID: req-58690167-8667-47bf-874a-eb2cf5579c83) The audit log: type=AVC msg=audit(1455113474.656:285): avc: denied { name_connect } for pid=3197 comm="glance-registry" dest=5000 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket *** See attached file of the setroubleshooter. Expected results: Should provide the list of uploaded images. Additional info: The command 'glance image-list' works correctly, and provides the list of uploaded images.
[root@overcloud-controller-0 ~]# nova image-list +--------------------------------------+--------+--------+--------+ | ID | Name | Status | Server | +--------------------------------------+--------+--------+--------+ | ea5007df-5931-4323-bd95-83250eae3295 | cirros | ACTIVE | | +--------------------------------------+--------+--------+--------+ [root@overcloud-controller-0 ~]# [root@overcloud-controller-0 ~]# rpm -qa | grep tack-seli openstack-selinux-0.6.55-1.el7ost.noarch
# cat /var/log/audit/audit.log | grep glance ype=AVC msg=audit(1458812176.200:22528): avc: denied { name_connect } for pid=49438 comm="glance-registry" dest=5000 scontext=system_u:system_r:glance_registry_t:s0 t context=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket # yum install setroubleshoot # sealert -a /var/log/audit/audit.log > ~/sealert.log # grep glance-registry /var/log/audit/audit.log | audit2allow -M glance-registry-pol # semodule -i glance-registry-pol.pp this works for me
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0603.html