Description of problem: Nova API can't be started in WSGI with Apache, there is no SElinux policy that allows it. Version-Release number of selected component (if applicable): All releases. How reproducible: Deploy Apache and configure it to run Nova API wsgi. Actual results: Got an avc in audit.log SELinux is preventing /usr/sbin/httpd from write access on the directory nova. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that httpd should be allowed write access on the nova directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:nova_log_t:s0 Target Objects nova [ dir ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host <Unknown> Source RPM Packages httpd-2.4.6-40.el7.centos.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.3.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name jenkins Platform Linux jenkins 3.10.0-327.4.5.el7.x86_64 #1 SMP Mon Jan 25 22:07:14 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-03-07 19:28:12 UTC Last Seen 2016-03-07 19:28:12 UTC Local ID 982159d8-beeb-44f6-a8f5-1fdc5d1c21a2 Raw Audit Messages type=AVC msg=audit(1457378892.760:805): avc: denied { write } for pid=21776 comm="httpd" name="nova" dev="vda1" ino=310432274 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nova_log_t:s0 tclass=dir type=AVC msg=audit(1457378892.760:805): avc: denied { add_name } for pid=21776 comm="httpd" name="nova-api.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nova_log_t:s0 tclass=dir type=AVC msg=audit(1457378892.760:805): avc: denied { create } for pid=21776 comm="httpd" name="nova-api.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nova_log_t:s0 tclass=file type=AVC msg=audit(1457378892.760:805): avc: denied { open } for pid=21776 comm="httpd" path="/var/log/nova/nova-api.log" dev="vda1" ino=310446781 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nova_log_t:s0 tclass=file type=SYSCALL msg=audit(1457378892.760:805): arch=x86_64 syscall=open success=yes exit=EFAULT a0=7f023fbac2f0 a1=441 a2=1b6 a3=24 items=0 ppid=21742 pid=21776 auid=4294967295 uid=162 gid=162 euid=162 suid=162 fsuid=162 egid=162 sgid=162 fsgid=162 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) Hash: httpd,httpd_t,nova_log_t,dir,write Expected results: Deploy Nova in WSGI without AVC.
One more AVC type=AVC msg=audit(1457450838.6:501): avc: denied { name_bind } for pid=23197 comm="httpd" src=8774 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:osapi_compute_port_t:s0 tclass=tcp_socket
Does the current director deployment recreate the scenario mention above - "Deploy Apache and configure it to run Nova API wsgi" ?
Yes, only on the undercloud though.
Verified on: openstack-selinux-0.7.3-3.el7ost.noarch BM setup undercloud don't have any AVC regarding httpd or nova. Using this undercloud i was able to successfully deploy overcloud 3 controllers 1 compute.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-1597.html