rhel-osp-director: Introspection fails on VM environment due to selinux: avc: type=AVC msg=audit(1473911455.239:3068): avc: denied { getattr } for pid=21038 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file Environment: openstack-ironic-inspector-4.1.1-0.20160906074601.0276422.el7ost.noarch openstack-ironic-common-6.1.1-0.20160907120305.0acdfca.el7ost.noarch libselinux-2.5-4.el7.x86_64 selinux-policy-targeted-3.13.1-93.el7.noarch python-ironic-inspector-client-1.9.0-0.20160902092624.6364bc9.el7ost.noarch openstack-selinux-0.7.7-1.el7ost.noarch openstack-ironic-conductor-6.1.1-0.20160907120305.0acdfca.el7ost.noarch instack-undercloud-5.0.0-0.20160907134010.649dc3f.el7ost.noarch python-ironic-tests-6.1.1-0.20160907120305.0acdfca.el7ost.noarch openstack-ironic-api-6.1.1-0.20160907120305.0acdfca.el7ost.noarch python-ironic-lib-2.1.0-0.20160829084617.52b2d2f.el7ost.noarch selinux-policy-3.13.1-93.el7.noarch libselinux-ruby-2.5-4.el7.x86_64 puppet-ironic-9.2.0-0.20160905145838.d14c611.el7ost.noarch python-ironicclient-1.7.0-0.20160902094012.464044f.el7ost.noarch libselinux-utils-2.5-4.el7.x86_64 libselinux-python-2.5-4.el7.x86_64 Steps to reproduce: 1. Deploy undercloud, import images, register nodes. 2. Attempt to introspect the registered nodes. Result: The introspection times out. I see AVC in /var/log/audit/audit.log: type=AVC msg=audit(1473911422.364:2833): avc: denied { getattr } for pid=21037 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1473911428.045:2933): avc: denied { getattr } for pid=21035 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1473911428.046:2934): avc: denied { getattr } for pid=21035 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1473911433.193:3001): avc: denied { getattr } for pid=21041 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1473911433.193:3002): avc: denied { getattr } for pid=21041 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1473911437.381:3060): avc: denied { getattr } for pid=21036 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1473911437.381:3061): avc: denied { getattr } for pid=21036 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1473911442.046:3062): avc: denied { getattr } for pid=21888 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1473911442.046:3063): avc: denied { getattr } for pid=21888 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1473911445.885:3064): avc: denied { getattr } for pid=21883 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1473911445.885:3065): avc: denied { getattr } for pid=21883 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1473911450.365:3066): avc: denied { getattr } for pid=22049 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1473911450.365:3067): avc: denied { getattr } for pid=22049 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1473911455.239:3068): avc: denied { getattr } for pid=21038 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1473911455.240:3069): avc: denied { getattr } for pid=21038 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file w/a: run setenforce 0 on the undercloud before running introspection.
The fix should be a restorecon. restorecon -Rv /httpboot
*** Bug 1376750 has been marked as a duplicate of this bug. ***
Likely the issue is in the puppet-ironic, or whatever created the file with wrong context is the responsible component.
moving back to ON_DEV as this is not yet committed downstream. see https://mojo.redhat.com/docs/DOC-1081437 for info about bugzilla states.
Steve Linabery confirmed this build allows the introspection phase to succeed
Happened to test this on Friday with the latest puddle, introspection works just fine.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2948.html