1306525 – Nova - Glance communication denied by selinux

Bug 1306525 - Nova - Glance communication denied by selinux

Summary: Nova - Glance communication denied by selinux

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	8.0 (Liberty)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	ga
Target Release:	8.0 (Liberty)
Assignee:	Ryan Hallisey
QA Contact:	Alexander Stafeyev
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-11 07:48 UTC by Maxim Babushkin
Modified:	2016-04-07 21:28 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openstack-selinux-0.6.53-1.el7ost
Doc Type:	Bug Fix
Doc Text:	Previously, when nova was trying to retrieve a list of glance images, SELinux prevented that, and nova failed with an "Unexpected API Error". This update allows nova to communicate with glance. As a result, nova can now list glance images.
Clone Of:
Environment:
Last Closed:	2016-04-07 21:28:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Setroubleshooter.log (1.93 KB, text/plain) 2016-02-11 07:48 UTC, Maxim Babushkin	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2016:0603	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 8 Enhancement Advisory	2016-04-08 00:53:53 UTC

Description Maxim Babushkin 2016-02-11 07:48:47 UTC

Created attachment 1123090 [details]
Setroubleshooter.log

Description of problem:
Nova - Glance communication denied by selinux

Package information:
* openstack-selinux-0.6.41-1.el7.noarch
* openstack-glance-11.0.1-2.el7.noarch
* openstack-nova-compute-12.0.1-1.el7.noarch

The installation was made from the RDO on the Liberty version. All in one.

Version-Release number of selected component (if applicable):
8

How reproducible:
100%

Steps to Reproduce:
1. Install glance and nova service.
2. Upload test image to glance.
3. Run 'nova image-list' command.

Actual results:
'nova image-list' command return an "Unexpected API Error".

ERROR (ClientException): Unexpected API Error. Please report this at http://bugs.launchpad.net/nova/ and attach the Nova API log if possible.
<class 'glanceclient.exc.HTTPInternalServerError'> (HTTP 500) (Request-ID: req-58690167-8667-47bf-874a-eb2cf5579c83)

The audit log:
type=AVC msg=audit(1455113474.656:285): avc:  denied  { name_connect } for  pid=3197 comm="glance-registry" dest=5000 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket

*** See attached file of the setroubleshooter.

Expected results:
Should provide the list of uploaded images.

Additional info:
The command 'glance image-list' works correctly, and provides the list of uploaded images.

Comment 4 Alexander Stafeyev 2016-03-01 09:43:39 UTC

[root@overcloud-controller-0 ~]# nova image-list
+--------------------------------------+--------+--------+--------+
| ID                                   | Name   | Status | Server |
+--------------------------------------+--------+--------+--------+
| ea5007df-5931-4323-bd95-83250eae3295 | cirros | ACTIVE |        |
+--------------------------------------+--------+--------+--------+
[root@overcloud-controller-0 ~]# 



[root@overcloud-controller-0 ~]# rpm -qa | grep tack-seli
openstack-selinux-0.6.55-1.el7ost.noarch

Comment 5 webdesigner 2016-03-24 09:54:51 UTC

# cat /var/log/audit/audit.log | grep glance
ype=AVC msg=audit(1458812176.200:22528): avc:  denied  { name_connect } for  pid=49438 comm="glance-registry" dest=5000 scontext=system_u:system_r:glance_registry_t:s0 t
context=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket


# yum install setroubleshoot

# sealert -a /var/log/audit/audit.log > ~/sealert.log
# grep glance-registry /var/log/audit/audit.log | audit2allow -M glance-registry-pol
# semodule -i glance-registry-pol.pp

this works for me

Comment 6 errata-xmlrpc 2016-04-07 21:28:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0603.html

Note You need to log in before you can comment on or make changes to this bug.