1376288 – rhel-osp-director: Introspection fails on VM environment due to selinux: avc: denied { getattr } for pid=21038 comm="httpd" path="/httpboot/inspector.ipxe"

Bug 1376288 - rhel-osp-director: Introspection fails on VM environment due to selinux: avc: denied { getattr } for pid=21038 comm="httpd" path="/httpboot/inspector.ipxe"

Summary: rhel-osp-director: Introspection fails on VM environment due to selinux: avc:...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	puppet-ironic
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	beta
Target Release:	10.0 (Newton)
Assignee:	Lukas Bezdicka
QA Contact:	Dmitry Tantsur
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1376750 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-15 04:09 UTC by Alexander Chuzhoy
Modified:	2016-12-14 16:02 UTC (History)
CC List:	19 users (show)
Fixed In Version:	puppet-ironic-9.2.0-0.20160905145838.d14c611.1.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-12-14 16:02:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	371462	0	None	None	None	2016-09-16 14:44:36 UTC
Red Hat Product Errata	RHEA-2016:2948	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 10 enhancement update	2016-12-14 19:55:27 UTC

Description Alexander Chuzhoy 2016-09-15 04:09:06 UTC

rhel-osp-director: Introspection fails on VM environment due to selinux: avc:  type=AVC msg=audit(1473911455.239:3068): avc:  denied  { getattr } for  pid=21038 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file


Environment:
openstack-ironic-inspector-4.1.1-0.20160906074601.0276422.el7ost.noarch
openstack-ironic-common-6.1.1-0.20160907120305.0acdfca.el7ost.noarch
libselinux-2.5-4.el7.x86_64
selinux-policy-targeted-3.13.1-93.el7.noarch
python-ironic-inspector-client-1.9.0-0.20160902092624.6364bc9.el7ost.noarch
openstack-selinux-0.7.7-1.el7ost.noarch
openstack-ironic-conductor-6.1.1-0.20160907120305.0acdfca.el7ost.noarch
instack-undercloud-5.0.0-0.20160907134010.649dc3f.el7ost.noarch
python-ironic-tests-6.1.1-0.20160907120305.0acdfca.el7ost.noarch
openstack-ironic-api-6.1.1-0.20160907120305.0acdfca.el7ost.noarch
python-ironic-lib-2.1.0-0.20160829084617.52b2d2f.el7ost.noarch
selinux-policy-3.13.1-93.el7.noarch
libselinux-ruby-2.5-4.el7.x86_64
puppet-ironic-9.2.0-0.20160905145838.d14c611.el7ost.noarch
python-ironicclient-1.7.0-0.20160902094012.464044f.el7ost.noarch
libselinux-utils-2.5-4.el7.x86_64
libselinux-python-2.5-4.el7.x86_64


Steps to reproduce:
1. Deploy undercloud, import images, register nodes.
2. Attempt to introspect the registered nodes.

Result:
The introspection times out.

I see AVC in /var/log/audit/audit.log:
type=AVC msg=audit(1473911422.364:2833): avc:  denied  { getattr } for  pid=21037 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911428.045:2933): avc:  denied  { getattr } for  pid=21035 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911428.046:2934): avc:  denied  { getattr } for  pid=21035 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911433.193:3001): avc:  denied  { getattr } for  pid=21041 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911433.193:3002): avc:  denied  { getattr } for  pid=21041 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911437.381:3060): avc:  denied  { getattr } for  pid=21036 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911437.381:3061): avc:  denied  { getattr } for  pid=21036 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911442.046:3062): avc:  denied  { getattr } for  pid=21888 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911442.046:3063): avc:  denied  { getattr } for  pid=21888 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911445.885:3064): avc:  denied  { getattr } for  pid=21883 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911445.885:3065): avc:  denied  { getattr } for  pid=21883 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911450.365:3066): avc:  denied  { getattr } for  pid=22049 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911450.365:3067): avc:  denied  { getattr } for  pid=22049 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911455.239:3068): avc:  denied  { getattr } for  pid=21038 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911455.240:3069): avc:  denied  { getattr } for  pid=21038 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file



w/a:
run setenforce 0 on the undercloud before running introspection.

Comment 2 Ryan Hallisey 2016-09-15 17:25:36 UTC

The fix should be a restorecon.

restorecon -Rv /httpboot

Comment 3 Mike Burns 2016-09-16 11:04:42 UTC

*** Bug 1376750 has been marked as a duplicate of this bug. ***

Comment 4 Attila Fazekas 2016-09-16 11:12:09 UTC

Likely the issue is in the puppet-ironic, or whatever created the file with wrong context is the responsible component.

Comment 5 James Slagle 2016-09-20 17:54:59 UTC

moving back to ON_DEV as this is not yet committed downstream. see https://mojo.redhat.com/docs/DOC-1081437 for info about bugzilla states.

Comment 6 Jon Schlueter 2016-09-20 18:56:31 UTC

Steve Linabery confirmed this build allows the introspection phase to succeed

Comment 8 Dmitry Tantsur 2016-10-17 07:46:36 UTC

Happened to test this on Friday with the latest puddle, introspection works just fine.

Comment 11 errata-xmlrpc 2016-12-14 16:02:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html

Note You need to log in before you can comment on or make changes to this bug.