Bug 1306525 - Nova - Glance communication denied by selinux
Nova - Glance communication denied by selinux
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux (Show other bugs)
8.0 (Liberty)
Unspecified Unspecified
unspecified Severity unspecified
: ga
: 8.0 (Liberty)
Assigned To: Ryan Hallisey
Alexander Stafeyev
Depends On:
  Show dependency treegraph
Reported: 2016-02-11 02:48 EST by Maxim Babushkin
Modified: 2016-04-07 17:28 EDT (History)
7 users (show)

See Also:
Fixed In Version: openstack-selinux-0.6.53-1.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, when nova was trying to retrieve a list of glance images, SELinux prevented that, and nova failed with an "Unexpected API Error". This update allows nova to communicate with glance. As a result, nova can now list glance images.
Story Points: ---
Clone Of:
Last Closed: 2016-04-07 17:28:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Setroubleshooter.log (1.93 KB, text/plain)
2016-02-11 02:48 EST, Maxim Babushkin
no flags Details

  None (edit)
Description Maxim Babushkin 2016-02-11 02:48:47 EST
Created attachment 1123090 [details]

Description of problem:
Nova - Glance communication denied by selinux

Package information:
* openstack-selinux-0.6.41-1.el7.noarch
* openstack-glance-11.0.1-2.el7.noarch
* openstack-nova-compute-12.0.1-1.el7.noarch

The installation was made from the RDO on the Liberty version. All in one.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install glance and nova service.
2. Upload test image to glance.
3. Run 'nova image-list' command.

Actual results:
'nova image-list' command return an "Unexpected API Error".

ERROR (ClientException): Unexpected API Error. Please report this at http://bugs.launchpad.net/nova/ and attach the Nova API log if possible.
<class 'glanceclient.exc.HTTPInternalServerError'> (HTTP 500) (Request-ID: req-58690167-8667-47bf-874a-eb2cf5579c83)

The audit log:
type=AVC msg=audit(1455113474.656:285): avc:  denied  { name_connect } for  pid=3197 comm="glance-registry" dest=5000 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket

*** See attached file of the setroubleshooter.

Expected results:
Should provide the list of uploaded images.

Additional info:
The command 'glance image-list' works correctly, and provides the list of uploaded images.
Comment 4 Alexander Stafeyev 2016-03-01 04:43:39 EST
[root@overcloud-controller-0 ~]# nova image-list
| ID                                   | Name   | Status | Server |
| ea5007df-5931-4323-bd95-83250eae3295 | cirros | ACTIVE |        |
[root@overcloud-controller-0 ~]# 

[root@overcloud-controller-0 ~]# rpm -qa | grep tack-seli
Comment 5 webdesigner 2016-03-24 05:54:51 EDT
# cat /var/log/audit/audit.log | grep glance
ype=AVC msg=audit(1458812176.200:22528): avc:  denied  { name_connect } for  pid=49438 comm="glance-registry" dest=5000 scontext=system_u:system_r:glance_registry_t:s0 t
context=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket

# yum install setroubleshoot

# sealert -a /var/log/audit/audit.log > ~/sealert.log
# grep glance-registry /var/log/audit/audit.log | audit2allow -M glance-registry-pol
# semodule -i glance-registry-pol.pp

this works for me
Comment 6 errata-xmlrpc 2016-04-07 17:28:10 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.