Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1395240 - Selinux block glance api on overcloud
Selinux block glance api on overcloud
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux (Show other bugs)
10.0 (Newton)
Unspecified Linux
high Severity high
: rc
: 11.0 (Ocata)
Assigned To: Lon Hohberger
Avi Avraham
: CodeChange, Triaged
Depends On:
Blocks: 1293435
  Show dependency treegraph
 
Reported: 2016-11-15 08:56 EST by Avi Avraham
Modified: 2018-01-23 11:38 EST (History)
10 users (show)

See Also:
Fixed In Version: openstack-selinux-0.8.5-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-05-17 15:46:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
tshefi: automate_bug+

Attachments (Terms of Use)
first go at selinux policy changes for glance/oslo.privsep (364 bytes, text/plain)
2016-11-17 12:10 EST, Eric Harney 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:1245 normal SHIPPED_LIVE Red Hat OpenStack Platform 11.0 Bug Fix and Enhancement Advisory 2017-05-17 19:01:50 EDT

  None (edit)
Description Avi Avraham 2016-11-15 08:56:09 EST 
Description of problem:
While running glance on overcloud with cinder backend configuration the glance commands are failing due to selinux blocking of glance-api process 

sealert output 
SELinux is preventing /usr/bin/python2.7 from create access on the sock_file privsep.sock.
 
*****  Plugin catchall (100. confidence) suggests   **************************
 
If you believe that python2.7 should be allowed create access on the privsep.sock sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'glance-api' --raw | audit2allow -M my-glanceapi
# semodule -i my-glanceapi.pp
 
 
Additional Information:
Source Context                system_u:system_r:glance_api_t:s0
Target Context                system_u:object_r:glance_tmp_t:s0
Target Objects                privsep.sock [ sock_file ]
Source                        glance-api
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           python-2.7.5-48.el7.x86_64
Target RPM Packages          
Policy RPM                    selinux-policy-3.13.1-102.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     controller-0.localdomain
Platform                      Linux controller-0.localdomain
                              3.10.0-513.el7.x86_64 #1 SMP Wed Oct 12 09:41:28
                              EDT 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-11-15 12:27:02 UTC
Last Seen                     2016-11-15 12:27:02 UTC
Local ID                      32bbd164-bc85-43a9-a94e-3c3a7a8b6db8
 
Raw Audit Messages
type=AVC msg=audit(1479212822.497:463): avc:  denied  { create } for  pid=4322 comm="glance-api" name="privsep.sock" scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:glance_tmp_t:s0 tclass=sock_file
 
 
type=SYSCALL msg=audit(1479212822.497:463): arch=x86_64 syscall=bind success=yes exit=0 a0=a a1=7ffdcbe57080 a2=1d a3=706d742f706d742f items=0 ppid=2272 pid=4322 auid=4294967295 uid=161 gid=161 euid=161 suid=161 fsuid=161 egid=161 sgid=161 fsgid=161 tty=(none) ses=4294967295 comm=glance-api exe=/usr/bin/python2.7 subj=system_u:system_r:glance_api_t:s0 key=(null)
   

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.Install RHOS10 with Cinder as Glance backend  
2. run the following command openstack image create --name image1
3.

Actual results:
error 503 permission denied

Expected results:
the command successfully passed

Additional info:
Comment 2 Cyril Roelandt 2016-11-16 09:05:40 EST 
I do not think that Glance knows about SELinux. Shouldn't this be a triple-o bug?
Comment 3 Avi Avraham 2016-11-17 06:13:40 EST 
Moved to SElinux team
Comment 4 Eric Harney 2016-11-17 12:10 EST 
Created attachment 1221609 [details]
first go at selinux policy changes for glance/oslo.privsep

I've assembled this policy while testing the cinder driver for glance.

This enables Glance to load oslo.privsep:  a privsep.sock file is created in /tmp/<random>/privsep.sock, which is used to communicate between the original glance-api process and the privileged child process.

The execute permission is required for the sudo exec of the child privsep process.
Comment 12 Avi Avraham 2017-04-20 08:10:33 EDT 
Verified RPM install
# rpm -q openstack-selinux
# openstack-selinux-0.8.5-8.el7ost.noarch

Can not verify full functionality since other components that are depending on this configuration are not released in the current version.
Comment 13 errata-xmlrpc 2017-05-17 15:46:30 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1245
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.