Bug 1376288 - rhel-osp-director: Introspection fails on VM environment due to selinux: avc: denied { getattr } for pid=21038 comm="httpd" path="/httpboot/inspector.ipxe"
Summary: rhel-osp-director: Introspection fails on VM environment due to selinux: avc:...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-ironic
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: beta
: 10.0 (Newton)
Assignee: Lukas Bezdicka
QA Contact: Dmitry Tantsur
URL:
Whiteboard:
: 1376750 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-15 04:09 UTC by Alexander Chuzhoy
Modified: 2016-12-14 16:02 UTC (History)
19 users (show)

Fixed In Version: puppet-ironic-9.2.0-0.20160905145838.d14c611.1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-14 16:02:13 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2948 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 enhancement update 2016-12-14 19:55:27 UTC
OpenStack gerrit 371462 None None None 2016-09-16 14:44:36 UTC

Description Alexander Chuzhoy 2016-09-15 04:09:06 UTC
rhel-osp-director: Introspection fails on VM environment due to selinux: avc:  type=AVC msg=audit(1473911455.239:3068): avc:  denied  { getattr } for  pid=21038 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file


Environment:
openstack-ironic-inspector-4.1.1-0.20160906074601.0276422.el7ost.noarch
openstack-ironic-common-6.1.1-0.20160907120305.0acdfca.el7ost.noarch
libselinux-2.5-4.el7.x86_64
selinux-policy-targeted-3.13.1-93.el7.noarch
python-ironic-inspector-client-1.9.0-0.20160902092624.6364bc9.el7ost.noarch
openstack-selinux-0.7.7-1.el7ost.noarch
openstack-ironic-conductor-6.1.1-0.20160907120305.0acdfca.el7ost.noarch
instack-undercloud-5.0.0-0.20160907134010.649dc3f.el7ost.noarch
python-ironic-tests-6.1.1-0.20160907120305.0acdfca.el7ost.noarch
openstack-ironic-api-6.1.1-0.20160907120305.0acdfca.el7ost.noarch
python-ironic-lib-2.1.0-0.20160829084617.52b2d2f.el7ost.noarch
selinux-policy-3.13.1-93.el7.noarch
libselinux-ruby-2.5-4.el7.x86_64
puppet-ironic-9.2.0-0.20160905145838.d14c611.el7ost.noarch
python-ironicclient-1.7.0-0.20160902094012.464044f.el7ost.noarch
libselinux-utils-2.5-4.el7.x86_64
libselinux-python-2.5-4.el7.x86_64


Steps to reproduce:
1. Deploy undercloud, import images, register nodes.
2. Attempt to introspect the registered nodes.

Result:
The introspection times out.

I see AVC in /var/log/audit/audit.log:
type=AVC msg=audit(1473911422.364:2833): avc:  denied  { getattr } for  pid=21037 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911428.045:2933): avc:  denied  { getattr } for  pid=21035 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911428.046:2934): avc:  denied  { getattr } for  pid=21035 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911433.193:3001): avc:  denied  { getattr } for  pid=21041 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911433.193:3002): avc:  denied  { getattr } for  pid=21041 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911437.381:3060): avc:  denied  { getattr } for  pid=21036 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911437.381:3061): avc:  denied  { getattr } for  pid=21036 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911442.046:3062): avc:  denied  { getattr } for  pid=21888 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911442.046:3063): avc:  denied  { getattr } for  pid=21888 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911445.885:3064): avc:  denied  { getattr } for  pid=21883 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911445.885:3065): avc:  denied  { getattr } for  pid=21883 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911450.365:3066): avc:  denied  { getattr } for  pid=22049 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911450.365:3067): avc:  denied  { getattr } for  pid=22049 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911455.239:3068): avc:  denied  { getattr } for  pid=21038 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1473911455.240:3069): avc:  denied  { getattr } for  pid=21038 comm="httpd" path="/httpboot/inspector.ipxe" dev="sda1" ino=4718595 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file



w/a:
run setenforce 0 on the undercloud before running introspection.

Comment 2 Ryan Hallisey 2016-09-15 17:25:36 UTC
The fix should be a restorecon.

restorecon -Rv /httpboot

Comment 3 Mike Burns 2016-09-16 11:04:42 UTC
*** Bug 1376750 has been marked as a duplicate of this bug. ***

Comment 4 Attila Fazekas 2016-09-16 11:12:09 UTC
Likely the issue is in the puppet-ironic, or whatever created the file with wrong context is the responsible component.

Comment 5 James Slagle 2016-09-20 17:54:59 UTC
moving back to ON_DEV as this is not yet committed downstream. see https://mojo.redhat.com/docs/DOC-1081437 for info about bugzilla states.

Comment 6 Jon Schlueter 2016-09-20 18:56:31 UTC
Steve Linabery confirmed this build allows the introspection phase to succeed

Comment 8 Dmitry Tantsur 2016-10-17 07:46:36 UTC
Happened to test this on Friday with the latest puddle, introspection works just fine.

Comment 11 errata-xmlrpc 2016-12-14 16:02:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html


Note You need to log in before you can comment on or make changes to this bug.