Description of problem: While running glance on overcloud with cinder backend configuration the glance commands are failing due to selinux blocking of glance-api process sealert output SELinux is preventing /usr/bin/python2.7 from create access on the sock_file privsep.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed create access on the privsep.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'glance-api' --raw | audit2allow -M my-glanceapi # semodule -i my-glanceapi.pp Additional Information: Source Context system_u:system_r:glance_api_t:s0 Target Context system_u:object_r:glance_tmp_t:s0 Target Objects privsep.sock [ sock_file ] Source glance-api Source Path /usr/bin/python2.7 Port <Unknown> Host <Unknown> Source RPM Packages python-2.7.5-48.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name controller-0.localdomain Platform Linux controller-0.localdomain 3.10.0-513.el7.x86_64 #1 SMP Wed Oct 12 09:41:28 EDT 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-11-15 12:27:02 UTC Last Seen 2016-11-15 12:27:02 UTC Local ID 32bbd164-bc85-43a9-a94e-3c3a7a8b6db8 Raw Audit Messages type=AVC msg=audit(1479212822.497:463): avc: denied { create } for pid=4322 comm="glance-api" name="privsep.sock" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:glance_tmp_t:s0 tclass=sock_file type=SYSCALL msg=audit(1479212822.497:463): arch=x86_64 syscall=bind success=yes exit=0 a0=a a1=7ffdcbe57080 a2=1d a3=706d742f706d742f items=0 ppid=2272 pid=4322 auid=4294967295 uid=161 gid=161 euid=161 suid=161 fsuid=161 egid=161 sgid=161 fsgid=161 tty=(none) ses=4294967295 comm=glance-api exe=/usr/bin/python2.7 subj=system_u:system_r:glance_api_t:s0 key=(null) Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1.Install RHOS10 with Cinder as Glance backend 2. run the following command openstack image create --name image1 3. Actual results: error 503 permission denied Expected results: the command successfully passed Additional info:
I do not think that Glance knows about SELinux. Shouldn't this be a triple-o bug?
Moved to SElinux team
Created attachment 1221609 [details] first go at selinux policy changes for glance/oslo.privsep I've assembled this policy while testing the cinder driver for glance. This enables Glance to load oslo.privsep: a privsep.sock file is created in /tmp/<random>/privsep.sock, which is used to communicate between the original glance-api process and the privileged child process. The execute permission is required for the sudo exec of the child privsep process.
https://github.com/redhat-openstack/openstack-selinux/commit/9a7c7eab92401f424f254d6f33f515b4d5e23960
Verified RPM install # rpm -q openstack-selinux # openstack-selinux-0.8.5-8.el7ost.noarch Can not verify full functionality since other components that are depending on this configuration are not released in the current version.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1245